Grafana has been affected by critical security vulnerability , could allow attackers to execute arbitrary code on affected systems, potentially leading to complete system compromise.
The vulnerability tracked as CVE-2024-9264 with a CVSS v3.1 score of 9.9, stems from an experimental feature called SQL Expressions, which allows users to post-process data source queries using SQL.
By exploiting this flaw, a malicious actors could craft queries that escape the intended SQL context and execute system commands or access sensitive files on the server. This can be exploited by Any Grafana user who has Viewer permissions or higher can execute this attack.
Grafana states, “Because of an incorrect implementation of feature flags, this experimental feature is enabled by default for the API.” This default setting, combined with the availability of the DuckDB binary in the system PATH, makes the environment vulnerable to attacks. The DuckDB binary is not packaged with Grafana by default, meaning that only instances where DuckDB is installed and accessible via the PATH are exploitable.
Grafana Labs released patched versions for all affected Grafana 11 releases. Users are strongly urged to upgrade to a patched version immediately:
- 11.0.5+security-01 -security fix only
- 11.1.6+security-01 -security fix only
- 11.2.1+security-01 -security fix only
- 11.0.6+security-01 -includes latest features and security fix
- 11.1.7+security-01 -includes latest features and security fix
- 11.2.2+security-01 -includes latest features and security fix
As a temporary mitigation, Grafana Labs recommends removing the DuckDB binary from the system’s PATH or uninstalling it entirely.
For further information, refer to the official blog
