cbcvebase.
CVE-2024-9264
published 2024-10-18

CVE-2024-9264: The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently…

PriorityP278high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
97.78%
99.9th percentile
The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.

Affected

10 ranges
VendorProductVersion rangeFixed in
github.comgrafana_grafana>= 11.0.0 < 11.0.6+security-0111.0.6+security-01
github.comgrafana_grafana>= 11.1.0 < 11.1.7+security-0111.1.7+security-01
github.comgrafana_grafana>= 11.2.0 < 11.2.2+security-0111.2.2+security-01
grafanagrafana
grafanagrafana>= 11.0.0 < 11.0.511.0.5
grafanagrafana>= 11.0.0 < 11.0.611.0.6
grafanagrafana>= 11.1.0 < 11.1.611.1.6
grafanagrafana>= 11.1.0 < 11.1.711.1.7
grafanagrafana>= 11.2.0 < 11.2.111.2.1
grafanagrafana>= 11.2.0 < 11.2.211.2.2

Detection & IOCsextracted from sources · hover to see the quote

url/api/ds/query?ds_type=__expr__&expression=true&requestId=Q101
commandSELECT content FROM read_blob('/etc/passwd')
cookiegrafana_session
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Grafana Post-Authentication DuckDB SQL Injection (CVE-2024-9264)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/ds/query|3f|"; startswith; content:"ds|5f|type|3d 5f 5f|expr|5f 5f|"; fast_pattern; content:"expression|3d|true"; http.request_body; content:"|22|expression|22 3a|"; pcre:"/^\x20?\x22[^\x22]*?(?:(?:S(?:HOW\x20(?:C(?:UR(?:DAT|TIM)E|HARACTER\x20SET)|(?:VARI|T)ABLES)|ELECT\x20(?:FROM|USER))|U(?:NION\x20SELEC|PDATE\x20SE)T|DELETE\x20FROM|INSERT\x20INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\x2f\*.+\*\x2f)/Ri"; reference:url,github.com/nollium/CVE-2024-9264/; reference:cve,2024-9264; classtype:web-application-attack; sid:2056768; rev:2; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2024_10_22, cve CVE_2024_9264, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_11_25, reviewed_at 2025_08_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Look for POST requests to /api/ds/query with ds_type=__expr__ and expression=true in the URI, combined with a JSON body containing a "type":"sql" field — this is the attack vector for CVE-2024-9264.
  • Inspect the JSON body of requests to /api/ds/query for the "expression" field containing SQL keywords such as SELECT, FROM, read_blob, UNION, INSERT, DELETE — these indicate exploitation attempts.
  • The Snort/ET rule uses a PCRE to match SQL injection patterns (SELECT FROM/USER, UNION SELECT, UPDATE SET, DELETE FROM, INSERT INTO, /* */) inside the "expression" JSON key in the request body.
  • Successful exploitation response contains 'root:.*:0:' regex match in the body (passwd file content) and '"data":{' in the JSON response — use these as confirmation matchers.
  • The feature is enabled by default for the API due to an incorrect implementation of feature flags, even though it is experimental — do not assume the feature is disabled in affected Grafana deployments.
  • The attack requires the duckdb binary to be present in Grafana's $PATH. Audit Grafana host PATH for the presence of the duckdb binary as a prerequisite indicator of exploitability.
  • Any authenticated user with VIEWER or higher permission can trigger the attack — do not restrict detection scope to admin-level sessions.
  • ·The SQL Expressions feature was introduced in Grafana 11.0.0. Versions prior to 11.0.0 are not affected.
  • ·Red Hat Enterprise Linux 8, 9, 10 and Red Hat Storage 3 ship Grafana versions that do not include this feature and are confirmed not affected.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv9.4CRITICAL
vendor_redhat9.4CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.