CVE-2024-9264: 
Grafana vulnerability analysis and mitigation

A critical vulnerability (CVE-2024-9264) was discovered in Grafana's SQL Expressions experimental feature, affecting versions 11.0.x, 11.1.x, and 11.2.x. The vulnerability allows for command injection and local file inclusion attacks through insufficiently sanitized DuckDB queries. This security flaw can be exploited by any user with VIEWER or higher permissions (SecurityOnline, NVD).

The vulnerability stems from the SQL Expressions feature introduced in Grafana 11, which processes data queries using SQL commands. The feature fails to properly sanitize user input before passing it to the DuckDB CLI, enabling attackers to inject arbitrary SQL commands. The vulnerability has received a critical CVSS v3.1 base score of 9.9 and a CVSS v4.0 score of 9.4. For successful exploitation, the DuckDB binary must be present in Grafana's $PATH, though it is not installed by default in Grafana distributions (NVD, SecurityOnline).

The vulnerability enables attackers to perform both local file inclusion (LFI) and command injection attacks. Successful exploitation could lead to unauthorized access to sensitive files and potential remote code execution (RCE). The impact is particularly severe as it affects systems where DuckDB is installed and configured in the environment (SecurityOnline).

Grafana has released fixed versions to address this vulnerability: 11.0.5+security-01, 11.1.6+security-01, 11.2.1+security-01, 11.0.6+security-01, 11.1.7+security-01, and 11.2.2+security-01. Users are strongly advised to update their Grafana instances to these patched versions immediately (Grafana Advisory).