Patch Now! Grafana Hit by 9.9 Severity RCE Vulnerability (CVE-2024-9264)
A critical security vulnerability (CVE-2024-9264) has been discovered in Grafana, the popular open-source platform for monitoring and observability. This vulnerability, with a CVSS v3.1 score of 9.9, could allow attackers to execute arbitrary code on affected systems, potentially leading to complete system compromise.
The flaw stems from an experimental feature called “SQL Expressions,” which allows users to post-process data source queries using SQL. According to the security advisory released by Grafana Labs, “These SQL queries were not sanitized completely, leading to a command injection and local file inclusion vulnerability.”
This means that malicious actors could craft queries that escape the intended SQL context and execute system commands or access sensitive files on the server. Worryingly, the advisory states that “Any Grafana user who has Viewer permissions or higher is capable of executing this attack.”
In its advisory, Grafana Labs explains, “Because of an incorrect implementation of feature flags, this experimental feature is enabled by default for the API.” This default setting, combined with the availability of the DuckDB binary in the system PATH, makes the environment vulnerable to attacks. Importantly, the DuckDB binary is not packaged with Grafana by default, meaning that only instances where DuckDB is installed and accessible via the PATH are exploitable.
Grafana Labs has acted swiftly to address CVE-2024-9264, releasing patched versions for all affected Grafana 11 releases. Users are strongly urged to upgrade to a patched version immediately:
- 11.0.5+security-01 (security fix only)
- 11.1.6+security-01 (security fix only)
- 11.2.1+security-01 (security fix only)
- 11.0.6+security-01 (includes latest features and security fix)
- 11.1.7+security-01 (includes latest features and security fix)
- 11.2.2+security-01 (includes latest features and security fix)
“If your instance is vulnerable, we strongly recommend upgrading to one of the patched versions of Grafana as soon as possible,” the advisory emphasizes.
As a temporary mitigation, Grafana Labs recommends removing the DuckDB binary from the system’s PATH or uninstalling it entirely.
