CVE-2022-30631: 
Grafana vulnerability analysis and mitigation

CVE-2022-30631 is a security vulnerability discovered in Go's compress/gzip package affecting versions before Go 1.17.12 and Go 1.18.4. The vulnerability involves uncontrolled recursion in the Reader.Read method that allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files (NVD, Go Issue).

The vulnerability is classified as CWE-674 (Uncontrolled Recursion) with a CVSS v3.1 Base Score of 7.5 (HIGH). The issue occurs in the Reader.Read implementation within the compress/gzip package, where processing an archive with numerous concatenated empty compressed files could trigger unbounded recursion, leading to stack exhaustion (NVD).

When exploited, this vulnerability can cause a denial of service through application panic due to stack exhaustion. The attack vector is network-accessible (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), affecting only availability (A:H) without compromising confidentiality or integrity (NVD).

The issue has been fixed in Go versions 1.17.12 and 1.18.4 by replacing recursion with iteration in the Reader.Read implementation. Users are advised to upgrade to these or later versions. The fix was implemented through a patch that modified the handling of concatenated files in the compress/gzip package (Go Patch, Go Announce).