Grafana SQL Expressions Vulnerability: Command Injection and Local File Inclusion Risks
Key Information
- Vendor
- Grafana
- Status
- Grafana
- Vendor
- CVE Published:
- 18 October 2024
Badges
Summary
The Grafana SQL Expressions Vulnerability (CVE-2024-9264) is a critical security flaw that introduces command injection and local file inclusion risks. It affects Grafana versions 11.0.x, 11.1.x, and 11.2.x, and has a CVSS v3.1 score of 9.9, indicating its severity. The vulnerability allows users with VIEWER or higher permissions to execute attacks, potentially accessing any file on the host machine. Grafana Labs has released patch versions to fix the vulnerability and recommends immediate installation for affected users. The timeline of the discovery and actions taken for mitigation are also detailed. This vulnerability has reportedly not been exploited by ransomware groups.
Affected Version(s)
Grafana < 11.0.5
Grafana < 11.1.6
Grafana < 11.2.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Vulnerability Recap 10/21/24: Apple, Google Meet, Kubernetes
We keep seeing instances where threat actors exploit already-patched software. This is your weekly encouragement to patch your products now.
2 weeks ago
Grafana critical vulnerability risks remote code execution
The experimental SQL Expressions feature contains a flaw due to insufficient query sanitization.
3 weeks ago
Grafana security release: Critical severity fix for CVE-2024-9264 | Grafana Labs
Today we rolled out patch releases for Grafana 11.0.x, 11.1.x, and 11.2.x that include a critical severity security fix. If you are affected, we recommend that you install newly released versions.
3 weeks ago
CVSS V3.1
Timeline
- πΎ
Exploit exists.
- π₯
Vulnerability reached the number 1 worldwide trending spot.
Vulnerability started trending.
Risk change from: null to: 9.9 - (CRITICAL)
Vulnerability published.
First article discovered by Grafana
Vulnerability Reserved.