Remote code execution in Grafana SQL Expressions
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2024-9264 |
| CWE-ID | CWE-98 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software |
Grafana Web applications / Other software |
| Vendor | Grafana Labs |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) PHP file inclusion
EUVDB-ID: #VU98806
Risk: Medium
CVSSv4.0: 6.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2024-9264
CWE-ID:
CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program
Exploit availability: Yes
DescriptionThe vulnerability allows a remote user to include and execute arbitrary PHP files on the server.
The vulnerability exists due to improper input validation when handling data passed to "duckdb". A remote user with VIEWER permissions include and execute arbitrary PHP on the system with privileges of the web server.
Note, the duckdb binary must be present in Grafana’s $PATH for this attack to function. By default, this binary is not installed in Grafana distributions.
Install updates from vendor's website.
Vulnerable software versionsGrafana: 11.0.0 - 11.2.2
CPE2.3- cpe:2.3:a:grafana_labs:grafana:11.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:11.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:11.2.2:*:*:*:*:*:*:*
https://grafana.com/security/security-advisories/cve-2024-9264/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
