CVE-2024-8244: 
Grafana vulnerability analysis and mitigation

CVE-2024-8244 is a security vulnerability affecting the filepath.Walk and filepath.WalkDir functions in Go programming language. The vulnerability was discovered and disclosed on October 23, 2024, and is classified as a TOCTOU (time of check/time of use) race condition. The affected functions are documented as not following symbolic links, but both are susceptible to a race condition where a portion of the path being walked can be replaced with a symbolic link while the walk is in progress (Go Issue).

The vulnerability has been assigned a CVSS 3.1 Base Score of 6.5 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. The technical nature of the vulnerability involves a race condition in the filepath.Walk and filepath.WalkDir functions, where despite being documented as not following symbolic links, they can be exploited through a TOCTOU race condition. This occurs when a portion of the path being walked is replaced with a symbolic link during the walk operation (Ubuntu CVE).

The vulnerability's impact is characterized by low confidentiality and integrity impacts, with no availability impact. The race condition can potentially lead to unauthorized file access or directory traversal. The impact is particularly relevant in scenarios where the Walk/WalkDir API is used to access files, as the file may be replaced between the WalkFunc/WalkDirFunc being invoked and making use of the file name (Go Issue).

To mitigate this vulnerability, it is recommended to use a traversal-resistant API to access files, such as github.com/google/safeopen or the proposed os.Root (#67002). Using a traversal-resistant file API will defend against races in Walk/WalkDir itself. Due to the inherent raciness of the Walk/WalkDir API and the non-trivial implementation changes required, this has been classified as a PUBLIC track vulnerability (Go Issue).