Overview
- Description
- The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.
- Source
- security@grafana.com
- NVD status
- Analyzed
Risk scores
CVSS 4.0
- Type
- Secondary
- Base score
- 9.4
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- CRITICAL
CVSS 3.1
- Type
- Primary
- Base score
- 8.8
- Impact score
- 5.9
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
Social media
- Hype score
- Not currently trending
【漏洞】Grafana 任意文件读取漏洞 (CVE-2024-9264) 此 PoC 演示了 CVE-2024-9264 的利用,该漏洞使用经过身份验证的用户执行 DuckDB SQL 查询并读取文件系统上的任意文件。 https://t.co/mroOWSkF6p
@cybersecuritysl
6 Nov 2024
1638 Impressions
6 Retweets
20 Likes
22 Bookmarks
0 Replies
0 Quotes
Grafana の脆弱性 CVE-2024-9264 (CVSS 9.9):PoC エクスプロイトが公開 https://t.co/rtnKmsCGpX #DuckDB #Exploit #Grafana #LFI #OpenSource #PoCExploit #RCE
@iototsecnews
6 Nov 2024
75 Impressions
2 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🔒 Critical Grafana vulnerability (CVE-2024-9264) rated 9.9/10! PoC shows risks of LFI & command injection with viewer access. Update your versions ASAP to stay secure. #CyberSecurity #Grafana #Infosec https://t.co/xISTl7NQEe
@SandroBruscino
3 Nov 2024
151 Impressions
0 Retweets
3 Likes
0 Bookmarks
1 Reply
0 Quotes
Top 5 Trending CVEs: 1 - CVE-2024-35202 2 - CVE-2024-38821 3 - CVE-2024-51378 4 - CVE-2024-50550 5 - CVE-2024-9264 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W
@CVEShield
3 Nov 2024
125 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
''Grafana Vulnerability CVE-2024-9264: PoC Exploit Released for 9.9-Rated Critical Flaw'' #infosec #pentest #redteam #blueteam https://t.co/RyQaw29P2S
@CyberWarship
2 Nov 2024
2680 Impressions
16 Retweets
27 Likes
14 Bookmarks
0 Replies
0 Quotes
CVE-2024-9264 | Grafana RCE via SQL Expressions (Critical) https://t.co/7yWrDTcX66 #CVEs #Bug Bounty #OSINT #Recon #Vapt #Web #bugbountytip #infosecurity #infosec #CyberSecurity #informationtechnology
@Yashh2
2 Nov 2024
56 Impressions
0 Retweets
1 Like
1 Bookmark
0 Replies
0 Quotes
Actively exploited CVE : CVE-2024-9264
@transilienceai
30 Oct 2024
11 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2024-9264
@transilienceai
29 Oct 2024
15 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Grafana の RCE 脆弱性 CVE-2024-9264 (CVSS:9.9) が FIX:直ちにアップデートを! https://t.co/eerJ9qyW71 #API #DuckDB #Grafana #Monitoring #OpenSource #SecTool #SQL #SQLExpressionsapi
@iototsecnews
29 Oct 2024
13 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Grafanaの重大(Critical)な脆弱性CVE-2024-9264に対応するPoC(攻撃の概念実証コード)が公開。CVE-2024-9264はCVSSスコア9.9のローカルファイルインクルージョン(LFI)で、最終的にコマンドインジェクションによる遠隔コード実行が可能。脆弱なのは実験的機能だが既定で有効。 https://t.co/zu6LScghDp
@__kokumoto
28 Oct 2024
1731 Impressions
8 Retweets
15 Likes
3 Bookmarks
1 Reply
0 Quotes
🚨 Grafana Vulnerability Alert: CVE-2024-9264 - Proof of concept released🚨 A critical flaw (CVE-2024-9264) in Grafana, rated 9.9 in severity, allows attackers to execute remote code and potentially compromise systems. A proof-of-concept exploit has been released.… https://t.co/
@Ransom_DB
28 Oct 2024
73 Impressions
0 Retweets
1 Like
1 Bookmark
0 Replies
1 Quote
Grafana Vulnerability CVE-2024-9264: PoC Exploit Released for 9.9-Rated Critical Flaw https://t.co/0JsbakKIoD
@Dinosn
28 Oct 2024
6854 Impressions
38 Retweets
112 Likes
49 Bookmarks
0 Replies
3 Quotes
🗣 Grafana Vulnerability CVE-2024-9264: PoC Exploit Released for 9.9-Rated Critical Flaw https://t.co/KBLYVGagXf
@fridaysecurity
28 Oct 2024
68 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
1 Quote
Grafana Vulnerability CVE-2024-9264: PoC Exploit Released for 9.9-Rated Critical Flaw Explore the technical details of CVE-2024-9264, a critical vulnerability in #Grafana that allows attackers to exploit #SQL expressions feature. https://t.co/Y2rKvXcphW
@the_yellow_fall
28 Oct 2024
2871 Impressions
16 Retweets
42 Likes
14 Bookmarks
0 Replies
1 Quote
Top 5 Trending CVEs: 1 - CVE-2024-47575 2 - CVE-2024-4947 3 - CVE-2023-26360 4 - CVE-2024-9264 5 - CVE-2024-20481 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W
@CVEShield
26 Oct 2024
85 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actualización de seguridad para Grafana ➡️ CVE-2024-9264 (LFi) Local File Inclusion via SQL https://t.co/dPAUPYJ1M0 https://t.co/dHuxmNT7qj
@elhackernet
25 Oct 2024
4109 Impressions
5 Retweets
38 Likes
5 Bookmarks
0 Replies
1 Quote
Oh yes the reason I came online before I got lost in sports and tech updates. #Grafana RCE in the Grafana SQL Expression feature. Don't forget to keep access to you logs secure. CVE-2024-9264 EPSS - public exploit available as https://t.co/M9a4ozAxBS
@Matshi_M
24 Oct 2024
20 Impressions
0 Retweets
1 Like
0 Bookmarks
1 Reply
0 Quotes
CVE-2024-9264: SQL injection vulnerability in Grafana's experimental SQL Expressions feature. Any authenticated user can execute arbitrary DuckDB SQL queries through modified expressions in Grafana dashboards. PoC https://t.co/AhS3qmjWGu https://t.co/bmfdfOH3Z9
@cyber_advising
22 Oct 2024
2397 Impressions
11 Retweets
28 Likes
15 Bookmarks
0 Replies
1 Quote
CVE-2024-9264 - Remote Code Execution in Grafana via SQL Expressions and improper sanitized DuckDB SQL queries PoC: https://t.co/bXo1sRSSU0 Blog: https://t.co/b0jUKBHwpZ https://t.co/btzuDj3yTV
@z3k0sec
21 Oct 2024
139 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Sécurité Cloud : vulnérabilité critique de Grafana (CVE-2024-9264) 🚨 Une faille critique vient d’être identifiée, et ce correctif est essentiel pour maintenir la sécurité de vos systèmes. https://t.co/ccXZgMGC2z #CloudSecOps #SécuritéInformatique #Vulnérabilité #Grafana
@A1CloudTech
21 Oct 2024
2 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#Grafana Remote Code Execution PoC (CVE-2024-9264) https://t.co/b0jUKBGYAr https://t.co/0abDw8iErX
@z3k0sec
21 Oct 2024
127 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
RCE in Grafana via SQL Expressions (CVE-2024-9264) https://t.co/bXo1sRSl4s #grafana #rce #exploit
@z3k0sec
21 Oct 2024
499 Impressions
3 Retweets
10 Likes
4 Bookmarks
1 Reply
1 Quote
🚨 Zafiyet Duyurusu: Grafana 11.x Daha fazla bilgi için: https://t.co/md36LTnRcX #CVE20249264 CVE-2024-9264 https://t.co/ghH5bMHt0D
@cybSec4everyone
20 Oct 2024
92 Impressions
0 Retweets
2 Likes
2 Bookmarks
0 Replies
0 Quotes
GitHub - nollium/CVE-2024-9264: Exploit for Grafana arbitrary file-read (CVE-2024-9264) - https://t.co/8y8xolgPFl
@piedpiper1616
20 Oct 2024
6631 Impressions
25 Retweets
64 Likes
18 Bookmarks
1 Reply
0 Quotes
Exploit for Grafana arbitrary file-read (CVE-2024-9264) https://t.co/xg4HMnC0Gv #Pentesting #CyberSecurity #Infosec https://t.co/beOrqU0tXF
@ptracesecurity
20 Oct 2024
6160 Impressions
17 Retweets
66 Likes
19 Bookmarks
0 Replies
0 Quotes
Top 5 Trending CVEs: 1 - CVE-2024-38178 2 - CVE-2024-9264 3 - CVE-2024-48904 4 - CVE-2019-5790 5 - CVE-2024-7254 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W
@CVEShield
20 Oct 2024
9 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
分享一个鸡肋的CVE漏洞,原理与POC. [CVE-2024-9264]Grafana Post-Auth DuckDB SQL注入漏洞 (文件读取) Grafana 是一个开源的数据可视化和监控工具,广泛用于展示各种数据源的实时监控信息。它支持自定义仪表盘,帮助用户分析、追踪系统性能和业务指标。 利用Ldap协议可以RCE,利用条件: 1.… https://t.co/leSWhVTE4p https://t.co/NxjSN6aM54
@seclink
20 Oct 2024
689 Impressions
1 Retweet
0 Likes
0 Bookmarks
1 Reply
0 Quotes
https://t.co/tAOSYVaaUK Proof-of-Concept File-Read in Grafana (CVE-2024-9264)
@z3k0sec
20 Oct 2024
25 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CRITICAL VULNERABILITIES Grafana security release: Critical severity fix for CVE-2024-9264 URL: https://t.co/ifr6SH2Y0Q Classification: Critical, Solution: Official Fix, Exploit Maturity: Not Defined, CVSSv3.1: 9.4 CVEs: CVE-2024-9264 #securety #redhat #grafina
@CharyyevPerman
43 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-9264 alert 🚨 GRAFANA : Critical vulnerability leading to Remote Code Execution The vulnerability is actively exploited in the wild and has been integrated into Patrowl. Our customers assets are protected. 🦉 #CyberSecurity #InfoSec #grafana https://t.co/DN2kLFqj7A
@Patrowl_io
74 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Grafana’da Kritik RCE Zafiyeti (CVE-2024-9264): Hemen Güncelleyin! https://t.co/3R8d0gNJND https://t.co/zKLEDqQScL
@cozumpark
308 Impressions
1 Retweet
3 Likes
0 Bookmarks
0 Replies
0 Quotes
Wrote a POC and vulnerability analysis for CVE-2024-9264 Grafana authenticated ""RCE"" https://t.co/Q23VOGATkQ https://t.co/rBxzfrMpQP
@nol_tech
20133 Impressions
80 Retweets
319 Likes
192 Bookmarks
5 Replies
2 Quotes
🔴New vulnerability was just published🔴 CVE ➡️ CVE-2024-9264 Impacting ➡️ Grafana CVSS ➡️ 9.9 #cve #securitricks #vulnerability #cybersecurity https://t.co/3OiwtZ5fW1
@SecuriTricks
57 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Command injection and local file inclusion via SQL Expressions in Grafana >= v11.0 (CVE-2024-9264) - experimental feature is enabled by default - DuckDB has to be installed and added to PATH variable - attacker needs to have at least Viewer permissions https://t.co/aHW34GC
@z3k0sec
74 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
[CVE-2024-9264: CRITICAL] Grafana's SQL Expressions feature has a vulnerability allowing command injection and local file inclusion due to unsanitized user input in `duckdb` queries. An attacker with VIEWER permis...#cybersecurity,#vulnerability https://t.co/oApdaTZZ2J https://t.
@CveFindCom
17 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-9264 Exploitable SQL Expressions Command Injection in Grafana via `duckdb` Grafana's SQL Expressions experimental feature lets users run `duckdb` queries. These queries take user input. But they aren't c... https://t.co/vgNEr8BuGt
@VulmonFeeds
102 Impressions
1 Retweet
1 Like
1 Bookmark
0 Replies
0 Quotes
CVE-2024-9264 The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized befo… https://t.co/zNri61Og24
@CVEnew
467 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-9264: Execute Arbitrary Code in Grafana, 9.9 rating 🔥🔥🔥 Hackers can perform command injection using a vulnerability in SQL Expressions. Search at https://t.co/hv7QKSqxTR: 👉 Link: https://t.co/BvfGdGWbvY #cybersecurity #vulnerability_map #grafana https://t.co/jV494
@Netlas_io
6526 Impressions
24 Retweets
91 Likes
43 Bookmarks
0 Replies
0 Quotes
Patch Now! Grafana Hit by 9.9 Severity RCE Vulnerability #Grafana users, beware of CVE-2024-9264! Discover the details of this critical security vulnerability and find out how to safeguard your systems from potential attacks https://t.co/0AdOOEGfN9
@the_yellow_fall
133 Impressions
0 Retweets
3 Likes
0 Bookmarks
0 Replies
0 Quotes
¡Actualiza ya! Vulnerabilidad crítica de RCE en #Grafana (CVE-2024-9264) #CiberSeguridad https://t.co/9weBHsUUAg
@hack4lifemx
133 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Patch Now! Grafana Hit by 9.9 Severity RCE Vulnerability (CVE-2024-9264) https://t.co/U6zOGCYYGw
@Dinosn
13427 Impressions
88 Retweets
203 Likes
71 Bookmarks
0 Replies
0 Quotes
GrafanaでCVSSスコア9.9の遠隔コード実行脆弱性が修正された。CVE-2024-9264は実験的機能の"SQL Expressions"におけるクエリのサニタイズが不完全であるため、コマンドインジェクションが成立するもの。閲覧者以上の権限が攻撃条件。一時的緩和策はDuckDBのパスを切る/削除。 https://t.co/qN38Vq9kue
@__kokumoto
915 Impressions
2 Retweets
9 Likes
3 Bookmarks
0 Replies
0 Quotes
Grafana fixes a critical vulnerability CVE-2024-9264 #Grafana #CVE-2024-9264 https://t.co/UVUFyRUn5M
@pravin_karthik
34 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:grafana:grafana:11.0.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "876CCACF-B9AF-4358-AB56-58C86303B463"
}
],
"operator": "OR"
}
]
}
]