CVE-2024-45339: 
Grafana vulnerability analysis and mitigation

A critical security vulnerability (CVE-2024-45339) was discovered in github.com/golang/glog affecting versions before v1.2.4. The vulnerability was discovered in January 2025 and involves an insecure temporary file handling issue where logs are written to widely-writable directories. The vulnerability affects systems using the glog logging package, particularly when running with elevated privileges (Go Announce, Go Vuln).

The vulnerability stems from a predictable log file path creation mechanism where an unprivileged attacker can predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When the privileged process runs, it follows the planted symlink and overwrites that sensitive file. The issue is particularly concerning when logs are written to widely-writable directories, which is the default behavior. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.1 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N (NVD).

The vulnerability can lead to unauthorized file overwrites of sensitive system files when exploited. This is particularly dangerous when the glog-enabled application runs with elevated privileges, as it could allow an attacker to manipulate critical system files through symbolic link manipulation. For example, an attacker could potentially target sensitive files like /etc/shadow through this vulnerability (GitHub PR).

The vulnerability has been fixed in glog version 1.2.4. The fix causes the program to exit with status code 2 when it finds that the configured log file already exists, preventing the symlink attack. Users are strongly advised to upgrade to this version. For those who build the Indico package themselves and cannot upgrade immediately, they can update the flask-multipass dependency to >=0.5.5 (Go Announce).