{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-9264", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2024-09-26T20:15:46.544Z", "datePublished": "2024-10-18T03:20:52.489Z", "dateUpdated": "2024-11-01T03:55:21.947Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com/grafana/grafana/", "defaultStatus": "unaffected", "product": "Grafana", "vendor": "Grafana", "versions": [{"changes": [{"at": "+security-01", "status": "unaffected"}], "lessThan": "11.0.5", "status": "affected", "version": "11.0.0", "versionType": "semver"}, {"changes": [{"at": "+security-01", "status": "unaffected"}], "lessThan": "11.1.6", "status": "affected", "version": "11.1.0", "versionType": "semver"}, {"changes": [{"at": "+security-01", "status": "unaffected"}], "lessThan": "11.2.1", "status": "affected", "version": "11.2.0", "versionType": "semver"}, {"changes": [{"at": "+security-01", "status": "unaffected"}], "lessThan": "11.0.6", "status": "affected", "version": "11.0.0", "versionType": "semver"}, {"changes": [{"at": "+security-01", "status": "unaffected"}], "lessThan": "11.1.7", "status": "affected", "version": "11.1.0", "versionType": "semver"}, {"changes": [{"at": "+security-01", "status": "unaffected"}], "lessThan": "11.2.2", "status": "affected", "version": "11.2.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, <span style=\"background-color: transparent;\">leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. </span>The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.<br>"}], "value": "The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions."}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "CAPEC-242: Code Injection"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.4, "baseSeverity": "CRITICAL", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2024-10-18T03:20:52.489Z"}, "references": [{"url": "https://grafana.com/security/security-advisories/cve-2024-9264/"}], "source": {"discovery": "INTERNAL"}, "title": "Grafana SQL Expressions allow for remote code execution", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "grafana", "product": "grafana", "cpes": ["cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "11.0.0", "status": "affected", "lessThan": "11.0.5\\+security-01", "versionType": "semver"}, {"version": "11.0.6", "status": "affected", "lessThan": "11.0.6\\+security-01", "versionType": "semver"}, {"version": "11.1.0", "status": "affected", "lessThan": "11.1.6\\+security-01", "versionType": "semver"}, {"version": "11.1.7", "status": "affected", "lessThan": "11.1.7\\+security-01", "versionType": "semver"}, {"version": "11.2.0", "status": "affected", "lessThan": "11.2.1\\+security-01", "versionType": "semver"}, {"version": "11.2.2", "status": "affected", "lessThan": "11.2.2\\+security-01", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-31T00:00:00+00:00", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2024-9264"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-01T03:55:21.947Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-9264", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-18T14:12:08.366972Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*"], "vendor": "grafana", "product": "grafana", "versions": [{"status": "affected", "version": "11.0.0", "lessThan": "11.0.5\\+security-01", "versionType": "semver"}, {"status": "affected", "version": "11.0.6", "lessThan": "11.0.6\\+security-01", "versionType": "semver"}, {"status": "affected", "version": "11.1.0", "lessThan": "11.1.6\\+security-01", "versionType": "semver"}, {"status": "affected", "version": "11.1.7", "lessThan": "11.1.7\\+security-01", "versionType": "semver"}, {"status": "affected", "version": "11.2.0", "lessThan": "11.2.1\\+security-01", "versionType": "semver"}, {"status": "affected", "version": "11.2.2", "lessThan": "11.2.2\\+security-01", "versionType": "semver"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-18T14:24:33.583Z"}}], "cna": {"title": "Grafana SQL Expressions allow for remote code execution", "source": {"discovery": "INTERNAL"}, "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "CAPEC-242: Code Injection"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.4, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Grafana", "product": "Grafana", "versions": [{"status": "affected", "changes": [{"at": "+security-01", "status": "unaffected"}], "version": "11.0.0", "lessThan": "11.0.5", "versionType": "semver"}, {"status": "affected", "changes": [{"at": "+security-01", "status": "unaffected"}], "version": "11.1.0", "lessThan": "11.1.6", "versionType": "semver"}, {"status": "affected", "changes": [{"at": "+security-01", "status": "unaffected"}], "version": "11.2.0", "lessThan": "11.2.1", "versionType": "semver"}, {"status": "affected", "changes": [{"at": "+security-01", "status": "unaffected"}], "version": "11.0.0", "lessThan": "11.0.6", "versionType": "semver"}, {"status": "affected", "changes": [{"at": "+security-01", "status": "unaffected"}], "version": "11.1.0", "lessThan": "11.1.7", "versionType": "semver"}, {"status": "affected", "changes": [{"at": "+security-01", "status": "unaffected"}], "version": "11.2.0", "lessThan": "11.2.2", "versionType": "semver"}], "collectionURL": "https://github.com/grafana/grafana/", "defaultStatus": "unaffected"}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2024-9264/"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.", "supportingMedia": [{"type": "text/html", "value": "The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, <span style=\"background-color: transparent;\">leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. </span>The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2024-10-18T03:20:52.489Z"}}}, "cveMetadata": {"cveId": "CVE-2024-9264", "state": "PUBLISHED", "dateUpdated": "2024-11-01T03:55:21.947Z", "dateReserved": "2024-09-26T20:15:46.544Z", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "datePublished": "2024-10-18T03:20:52.489Z", "assignerShortName": "GRAFANA"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:grafana:grafana:11.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "876CCACF-B9AF-4358-AB56-58C86303B463", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions."}, {"lang": "es", "value": "La caracter\u00edstica experimental SQL Expressions de Grafana permite la evaluaci\u00f3n de consultas `duckdb` que contienen informaci\u00f3n del usuario. Estas consultas no se desinfectan lo suficiente antes de pasarlas a `duckdb`, lo que genera una vulnerabilidad de inyecci\u00f3n de comandos e inclusi\u00f3n de archivos locales. Cualquier usuario con el permiso VIEWER o superior puede ejecutar este ataque. El binario `duckdb` debe estar presente en $PATH de Grafana para que este ataque funcione; de manera predeterminada, este binario no est\u00e1 instalado en las distribuciones de Grafana."}], "id": "CVE-2024-9264", "lastModified": "2024-11-01T18:14:31.377", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security@grafana.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "HIGH", "subsequentSystemConfidentiality": "HIGH", "subsequentSystemIntegrity": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "HIGH"}, "source": "security@grafana.com", "type": "Secondary"}]}, "published": "2024-10-18T04:15:04.723", "references": [{"source": "security@grafana.com", "tags": ["Vendor Advisory"], "url": "https://grafana.com/security/security-advisories/cve-2024-9264/"}], "sourceIdentifier": "security@grafana.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@grafana.com", "type": "Secondary"}]}

{"bugzilla": {"description": "grafana: Command injection and local file inclusion via SQL Expressions", "id": "2316409", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316409"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-77", "details": ["The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.", "A vulnerability was found in Grafana. An experimental feature named SQL Expressions was recently added to Grafana to allow query output to be post-processed using SQL. These SQL queries were incompletely sanitized, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission can execute this attack."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-9264", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Storage 3"}], "public_date": "2024-10-24T05:04:52Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-9264\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-9264\nhttps://grafana.com/blog/2024/10/17/grafana-security-release-critical-severity-fix-for-cve-2024-9264/"], "statement": "This vulnerability is classified as critical instead of important because it allows for command injection and local file inclusion, potentially leading to arbitrary code execution or unauthorized access to sensitive files. The exploit can be carried out by any user with VIEWER or higher permissions, significantly increasing the attack surface. Moreover, due to an incorrect implementation of feature flags, the SQL Expressions feature is enabled by default for the API, making it more likely to be exposed in affected deployments. Although the vulnerability requires the presence of the DuckDB binary in the Grafana process's PATH, systems that meet this condition are at significant risk. \nIt\u2019s important to note that this issue was introduced in a Grafana version not included in any Red Hat offerings, ensuring that Red Hat customers are not impacted.", "threat_severity": "Critical"}