VDB

CVE-2024-9264

CVE-2024-9264 PUBLISHED

The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.

EPSS 94.05% · 99.9th percentile

Risk Scores

EPSS Score
94.05%
99.9th percentile

Affected Products

VendorProductVersions
Bitnamigrafana11.0.0
Bitnamigrafana11.0.0

Exploit Intelligence

…and 323 more exploits

Timeline

  • Oct 17, 2024 CVE Published
  • Oct 18, 2024 EPSS Score
  • Oct 18, 2024 Coalition ESS Score
  • Oct 18, 2024 Coalition ESS Score
  • Oct 22, 2024 PoC Published
  • Nov 6, 2024 Coalition ESS Score
  • Nov 24, 2024 EPSS Score
  • Dec 14, 2024 EPSS Score
  • Jan 12, 2025 EPSS Score
  • Jan 20, 2025 EPSS Score
  • Feb 2, 2025 EPSS Score
  • Feb 7, 2025 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›