The SQL Expressions experimental feature of Grafana allows for the evaluation of duckdb
queries containing user input. These queries are insufficiently sanitized before being passed to duckdb
, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The duckdb
binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.
{ "nvd_published_at": "2024-10-18T04:15:04Z", "cwe_ids": [ "CWE-77", "CWE-94" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2024-10-25T14:13:42Z" }