Grafana: Command Injection and Local File Inclusion Vulnerability - Proactive Insights and Support For Open-Source Applications

In Grafana version 11.0.0 and prior a critical severity vulnerability CVE-2024-9264 was detected. The SQL Expressions feature in Grafana allows poorly sanitized duckdb queries with user input, leading to command injection and local file inclusion. Users with VIEWER or higher permissions can exploit this if the duckdb binary is in Grafana’s $PATH. To fix this issue, users need to update to versions 11.0.5, 11.1.6, 11.2.1, 11.0.6, 11.1.7, or 11.2.2. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-9264.