CVE-2024-9264 - Grafana SQL Expressions Command Injection and Local File Inclusion Vulnerability

1 month ago 16
ARTICLE AD BOX
CVE ID : CVE-2024-9264
Published : Oct. 18, 2024, 4:15 a.m. | 24 minutes ago
Description : The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.
Severity: 9.9 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
Read Entire Article