Description
The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.
INFO
Published Date :
2024-10-18T03:20:52.489Z
Last Modified :
2025-03-14T10:03:06.561Z
Source :
GRAFANA
AFFECTED PRODUCTS
The following products are affected by CVE-2024-9264 vulnerability.
| Vendors | Products |
|---|---|
| Grafana |
|
REFERENCES
Here, you will find a curated list of external links that provide in-depth information to CVE-2024-9264.
CVSS Vulnerability Scoring System
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact