Grafana SQL Expressions allow for remote code execution

CVE ID: CVE-2024-9264

Date Published: October 17, 2024

Description:

The SQL Expressions experimental feature of Grafana allows for the evaluation of duckdb queries containing user input.

These queries are insufficiently sanitized before being passed to duckdb, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack.

The duckdb binary must be present in Grafana’s $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.

This vulnerability first appeared in Grafana 11.0.0, and is fixed in the following versions, both for OSS and Enterprise:

11.0.5+security-01

11.1.6+security-01

11.2.1+security-01

11.0.6+security-01

11.1.7+security-01

11.2.2+security-01

(Note: We have provided fixes for both the most recent and previous patch versions of all impacted releases so that users who are still in the process of updating have an option to immediately mitigate this vulnerability without making other changes).