Grafana SQL Expressions Vulnerability: Command Injection and Local File Inclusion Risks

CVE-2024-9264
8.8HIGH

Key Information

Vendor
Grafana
Status
Grafana
Vendor
CVE Published:
18 October 2024

Badges

πŸ”₯ No. 1 TrendingπŸ˜„ TrendedπŸ‘Ύ Exploit ExistsπŸ”΄ Public PoCπŸ“° News Worthy

Summary

The Grafana SQL Expressions Vulnerability (CVE-2024-9264) is a critical security flaw that introduces command injection and local file inclusion risks. It affects Grafana versions 11.0.x, 11.1.x, and 11.2.x, and has a CVSS v3.1 score of 9.9, indicating its severity. The vulnerability allows users with VIEWER or higher permissions to execute attacks, potentially accessing any file on the host machine. Grafana Labs has released patch versions to fix the vulnerability and recommends immediate installation for affected users. The timeline of the discovery and actions taken for mitigation are also detailed. This vulnerability has reportedly not been exploited by ransomware groups.

Affected Version(s)

Grafana < 11.0.5

Grafana < 11.1.6

Grafana < 11.2.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

News Articles

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • πŸ‘Ύ

    Exploit exists.

  • πŸ”₯

    Vulnerability reached the number 1 worldwide trending spot.

  • Vulnerability started trending.

  • Risk change from: null to: 9.9 - (CRITICAL)

  • Vulnerability published.

  • First article discovered by Grafana

  • Vulnerability Reserved.

Collectors

NVD DatabaseMitre Database4 Proof of Concept(s)3 News Article(s)
.