CVE-2022-30630: 
Grafana vulnerability analysis and mitigation

Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators. The vulnerability was assigned CVE-2022-30630 and was discovered in 2022, affecting the Go programming language's standard library (NVD, Go Issue).

The vulnerability exists in the io/fs package's Glob function implementation. When processing paths containing numerous path separators, the function can enter an uncontrolled recursive state leading to stack exhaustion. The issue has been assigned a CVSS v3.1 base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified as CWE-674 (Uncontrolled Recursion) (NVD).

When exploited, this vulnerability can cause a denial of service condition through application panic due to stack exhaustion. The attack affects the availability of the system while not impacting confidentiality or integrity (NVD).

The vulnerability has been fixed in Go versions 1.17.12 and 1.18.4. The fix involves adding a limit to the number of path separators allowed by an input to Glob to prevent stack exhaustion issues. Users are advised to upgrade to these or later versions (Go Announce).