#VU98806 PHP file inclusion in Grafana - CVE-2024-9264

Cybersecurity Help s.r.o.

Published: 2024-10-18 | Updated: 2024-10-22

Vulnerability identifier: #VU98806

Vulnerability risk: Medium

CVSSv4.0: 6.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2024-9264

CWE-ID: CWE-98

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Grafana
Web applications / Other software

Vendor: Grafana Labs

Description

The vulnerability allows a remote user to include and execute arbitrary PHP files on the server.

The vulnerability exists due to improper input validation when handling data passed to "duckdb". A remote user with VIEWER permissions include and execute arbitrary PHP on the system with privileges of the web server.

Note, the duckdb binary must be present in Grafana’s $PATH for this attack to function. By default, this binary is not installed in Grafana distributions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Grafana: 11.0.0 - 11.0.6, 11.1.0 - 11.1.7, 11.2.0 - 11.2.2

External links
https://grafana.com/security/security-advisories/cve-2024-9264/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Remote code execution in Grafana SQL Expressions