CVE-2024-9264

Name of the Vulnerable Software and Affected Versions Grafana versions prior to v11.0.6+security-01 Grafana versions prior to v11.1.7+security-01 Grafana versions prior to v11.2.2+security-01

Description The SQL Expressions experimental feature of Grafana allows for the evaluation of duckdb queries containing user input. These queries are insufficiently sanitized before being passed to duckdb, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The duckdb binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions. Over 538k results are found on ZoomEye, indicating a large number of potentially affected devices worldwide. The vulnerability is actively exploited in the wild.

Recommendations For versions prior to v11.0.6+security-01, update to v11.0.6+security-01 or later. For versions prior to v11.1.7+security-01, update to v11.1.7+security-01 or later. For versions prior to v11.2.2+security-01, update to v11.2.2+security-01 or later. As a temporary workaround, consider disabling the SQL Expressions feature until a patch is available. Restrict access to the duckdb binary to minimize the risk of exploitation. Avoid using the SQL Expressions feature with untrusted user input until the issue is resolved.