CVE-2024-9264 — Vulnetix

Try Vulnetix Request Demo

CVE-2024-9264 PUBLISHED

The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.

EPSS 94.05% · 99.9th percentile

Risk Scores

EPSS Score

94.05%

99.9th percentile

Affected Products

Vendor	Product	Versions
Bitnami	grafana	11.0.0
Bitnami	grafana	11.0.0

Timeline

Oct 17, 2024 CVE Published
Oct 18, 2024 EPSS Score
Oct 18, 2024 Coalition ESS Score
Oct 18, 2024 Coalition ESS Score
Oct 22, 2024 PoC Published
Nov 6, 2024 Coalition ESS Score
Nov 23, 2024 EPSS Score
Dec 12, 2024 EPSS Score
Jan 12, 2025 EPSS Score
Jan 17, 2025 EPSS Score
Feb 2, 2025 EPSS Score
Feb 4, 2025 EPSS Score

References

Open in Interactive Console →