-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability lies in the insecure creation of log files, where a predictable log file path could be replaced by a symbolic link by an attacker, leading a privileged process to overwrite a sensitive file. The analysis of the provided patch (commit b8741656e406e66d6992bc2c9575e460ecaa0ec2) shows changes in glog_file.go:
createInDir was modified to replace os.Create(fname) with os.OpenFile(fname, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0666). The os.Create call was the vulnerable part as it would follow symlinks. The O_EXCL flag in os.OpenFile prevents this by failing if the file already exists.create calls createInDir after determining the log filename. The predictability of this filename (as mentioned in the commit message) is a key component of the vulnerability. The test added in glog_test.go, TestCreateFailsIfExists, specifically tests the create function to ensure it now fails if the log file already exists, confirming that create is the entry point for the behavior that was vulnerable.
Both functions would appear in a runtime profile during the log file creation process where the vulnerability could be exploited. createInDir contained the directly vulnerable file operation, and create was its immediate caller that set up the operation with a predictable filename.| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/golang/glog | go | < 1.2.4 | 1.2.4 |
GoGoKEV Misses 88% of Exploited CVEs- Get the report