Home > Vulnerability Database > CVE-2024-9264

Mend.io Vulnerability Database

CVE-2024-9264

Good to know:

Date: October 17, 2024

The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.

Severity Score

9.9

Related Resources (8)

Url: https://github.com/advisories/GHSA-q99m-qcv4-fpm7

Url: https://github.com/grafana/grafana

Url: https://github.com/grafana/grafana/pull/81666

Url: https://grafana.com/security/security-advisories/cve-2024-9264/

Url: https://grafana.com/security/security-advisories/cve-2024-9264

Url: https://grafana.com/blog/2024/10/17/grafana-security-release-critical-severity-fix-for-cve-2024-9264

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-9264

Url: https://www.mend.io/vulnerability-database/CVE-2024-9264

Severity Score

9.9

Weakness Type (CWE)

Command Injection

CWE-77

Code Injection

CWE-94

Top Fix

Upgrade Version

Upgrade to version 11.0.5+security-01,11.0.6+security-01,11.1.6+security-01,11.1.7+security-01,11.2.1+security-01,v11.2.2+security-01

Learn More

CVSS v3.1

Base Score:	9.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-9264

Good to know:

Date: October 17, 2024

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?