CVE-2024-9264: Grafana Command Injection And Local File Inclusion Via Sql Expressions

October 18, 2024 (updated November 1, 2024)

The SQL Expressions experimental feature of Grafana allows for the evaluation of duckdb queries containing user input. These queries are insufficiently sanitized before being passed to duckdb, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The duckdb binary must be present in Grafana’s $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.

References

github.com/advisories/GHSA-q99m-qcv4-fpm7
github.com/grafana/grafana
github.com/grafana/grafana/pull/81666
grafana.com/blog/2024/10/17/grafana-security-release-critical-severity-fix-for-cve-2024-9264
grafana.com/security/security-advisories/cve-2024-9264
nvd.nist.gov/vuln/detail/CVE-2024-9264

Code Behaviors & Features

Detect and mitigate CVE-2024-9264 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →