VDB
CVE-2024-9264
CVE-2024-9264
PUBLISHED
The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.
EPSS 94.05% · 99.9th percentile
Risk Scores
EPSS Score
94.05%
99.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | grafana | 11.0.0 |
| Bitnami | grafana | 11.0.0 |
Exploit Intelligence
- yeonchoda/CVE-2024-9264 (github-poc-repo)
- yeonchoda/CVE-2024-9264 (github-poc-repo)
- yeonchoda/CVE-2024-9264 (github-poc-repo)
- yeonchoda/CVE-2024-9264 (github-poc-repo)
- yeonchoda/CVE-2024-9264 (github-poc-repo)
- yeonchoda/CVE-2024-9264 (github-poc-repo)
- yeonchoda/CVE-2024-9264 (github-poc-repo)
- yeonchoda/CVE-2024-9264 (github-poc-repo)
- yeonchoda/CVE-2024-9264 (github-poc-repo)
- yeonchoda/CVE-2024-9264 (github-poc-repo)
…and 323 more exploits
Timeline
- Oct 17, 2024 CVE Published
- Oct 18, 2024 EPSS Score
- Oct 18, 2024 Coalition ESS Score
- Oct 18, 2024 Coalition ESS Score
- Oct 22, 2024 PoC Published
- Nov 6, 2024 Coalition ESS Score
- Nov 24, 2024 EPSS Score
- Dec 14, 2024 EPSS Score
- Jan 12, 2025 EPSS Score
- Jan 20, 2025 EPSS Score
- Feb 2, 2025 EPSS Score
- Feb 7, 2025 EPSS Score