CVE-2024-9264: Grafana Command Injection And Local File Inclusion Via Sql Expressions
(updated )
The SQL Expressions experimental feature of Grafana allows for the evaluation of duckdb
queries containing user input. These queries are insufficiently sanitized before being passed to duckdb
, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The duckdb
binary must be present in Grafana’s $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.
References
Detect and mitigate CVE-2024-9264 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →