icon

We found results for “

CVE-2024-9264

Good to know:

icon

Date: October 17, 2024

The SQL Expressions experimental feature of Grafana allows for the evaluation of "duckdb" queries containing user input. These queries are insufficiently sanitized before being passed to "duckdb", leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The "duckdb" binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.

Severity Score

Severity Score

Weakness Type (CWE)

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-77

Improper Control of Generation of Code ('Code Injection')

CWE-94

Top Fix

icon

Upgrade Version

Upgrade to version github.com/grafana/grafana - v11.0.6+security-01;github.com/grafana/grafana - v11.1.7+security-01;github.com/grafana/grafana - v11.2.2+security-01

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): CHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

Do you need more information?

Contact Us