CVE-2024-9264
18.10.2024, 04:15
The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.
| Vendor | Product | Version |
|---|---|---|
| grafana | grafana | 11.0.5\+security-01 < 𝑥 < 11.0.5\+security-01 |
| grafana | grafana | 11.0.6\+security-01 < 𝑥 < 11.0.6\+security-01 |
| grafana | grafana | 11.1.6\+security-01 < 𝑥 < 11.1.6\+security-01 |
| grafana | grafana | 11.1.7\+security-01 < 𝑥 < 11.1.7\+security-01 |
| grafana | grafana | 11.2.1\+security-01 < 𝑥 < 11.2.1\+security-01 |
| grafana | grafana | 11.2.2\+security-01 < 𝑥 < 11.2.2\+security-01 |
| grafana | grafana | 11.0.0 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-94 - Improper Control of Generation of Code ('Code Injection')The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.