Grafana Command Injection And Local File Inclusion Via Sql Expressions
Critical severity
GitHub Reviewed
Published
Oct 18, 2024
to the GitHub Advisory Database
•
Updated Nov 1, 2024
Package
Affected versions
>= 11.0.0, <= 11.0.6
>= 11.1.0, <= 11.1.7
>= 11.2.0, <= 11.2.2
Patched versions
11.0.6+security-01
11.1.7+security-01
11.2.2+security-01
Description
Published by the National Vulnerability Database
Oct 18, 2024
Published to the GitHub Advisory Database
Oct 18, 2024
Reviewed
Oct 25, 2024
Last updated
Nov 1, 2024
The SQL Expressions experimental feature of Grafana allows for the evaluation of
duckdb
queries containing user input. These queries are insufficiently sanitized before being passed toduckdb
, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. Theduckdb
binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.References