Arbitrary Code Injection Affecting github.com/grafana/grafana/pkg/expr package, versions >=11.0.0 <11.0.5+security-01 >=11.1.0 <11.1.6+security-01 >=11.2.0 <11.2.1+security-01
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMGRAFANAGRAFANAPKGEXPR-8230402
- published 18 Oct 2024
- disclosed 18 Oct 2024
- credit Unknown
Introduced: 18 Oct 2024
CVE-2024-9264 Open this link in a new tabHow to fix?
Upgrade github.com/grafana/grafana/pkg/expr to version 11.0.5+security-01, 11.1.6+security-01, 11.2.1+security-01 or higher.
Overview
Affected versions of this package are vulnerable to Arbitrary Code Injection due to insufficient sanitization of queries containing user input before being passed to duckdb. This can lead to a command injection and local file inclusion vulnerability.
Notes:
Any user with the VIEWER or higher permission is capable of executing this attack.
The duckdb binary must be present in Grafana’s $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.