← Back to CVE List

CVE-2024-9264

Published: 2024-10-18T04:15Z
Last Modified: 2025-03-14T10:15Z
Source: MITRE CVE List
License: MITRE-CVE-TOS
The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt