AIKIDO-2024-10458
grafana-enterprise is vulnerable to Code Injection
98
Critical Risk
This Affects:
grafana-enterpriseTL;DR
Affected versions of the package are vulnerable to code injection due to an issue in an experimental feature named SQL Expressions. This feature allows data source query outputs to be post-processed by executing SQL queries against the data. The vulnerability arises from the package passing the query and data to the DuckDB CLI, where the SQL queries are executed. However, these queries were not sanitized properly, enabling an attacker to inject arbitrary commands, potentially leading to command injection or local file inclusion.
Who does this affect?
You are affected if you are using a version which is within vulnerability ranges and the system has DuckDB installed and included in Grafana’s PATH.
Background info
grafana-enterprise is vulnerable to Code Injection in versions 11.0.0 - 11.0.6, 11.1.0 - 11.1.7 and 11.2.0 - 11.2.2.
How to fix this
Upgrade the grafana-enterprise library to a patch version.
Links
grafana.com/blog/2024/10/17/grafana-security-release-critical-severity-fix-for-cve-2024-9264/grafana.com/security/security-advisories/cve-2024-9264/security.netapp.com/advisory/ntap-20250314-0007/
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant