CVE-2024-9264
published 2024-10-18CVE-2024-9264: The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently…
PriorityP278high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
97.78%
99.9th percentile
The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | grafana_grafana | >= 11.0.0 < 11.0.6+security-01 | 11.0.6+security-01 |
| github.com | grafana_grafana | >= 11.1.0 < 11.1.7+security-01 | 11.1.7+security-01 |
| github.com | grafana_grafana | >= 11.2.0 < 11.2.2+security-01 | 11.2.2+security-01 |
| grafana | grafana | — | — |
| grafana | grafana | >= 11.0.0 < 11.0.5 | 11.0.5 |
| grafana | grafana | >= 11.0.0 < 11.0.6 | 11.0.6 |
| grafana | grafana | >= 11.1.0 < 11.1.6 | 11.1.6 |
| grafana | grafana | >= 11.1.0 < 11.1.7 | 11.1.7 |
| grafana | grafana | >= 11.2.0 < 11.2.1 | 11.2.1 |
| grafana | grafana | >= 11.2.0 < 11.2.2 | 11.2.2 |
Detection & IOCsextracted from sources · hover to see the quote
cookiegrafana_session
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Grafana Post-Authentication DuckDB SQL Injection (CVE-2024-9264)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/ds/query|3f|"; startswith; content:"ds|5f|type|3d 5f 5f|expr|5f 5f|"; fast_pattern; content:"expression|3d|true"; http.request_body; content:"|22|expression|22 3a|"; pcre:"/^\x20?\x22[^\x22]*?(?:(?:S(?:HOW\x20(?:C(?:UR(?:DAT|TIM)E|HARACTER\x20SET)|(?:VARI|T)ABLES)|ELECT\x20(?:FROM|USER))|U(?:NION\x20SELEC|PDATE\x20SE)T|DELETE\x20FROM|INSERT\x20INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\x2f\*.+\*\x2f)/Ri"; reference:url,github.com/nollium/CVE-2024-9264/; reference:cve,2024-9264; classtype:web-application-attack; sid:2056768; rev:2; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2024_10_22, cve CVE_2024_9264, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_11_25, reviewed_at 2025_08_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Look for POST requests to /api/ds/query with ds_type=__expr__ and expression=true in the URI, combined with a JSON body containing a "type":"sql" field — this is the attack vector for CVE-2024-9264. ↗
- →Inspect the JSON body of requests to /api/ds/query for the "expression" field containing SQL keywords such as SELECT, FROM, read_blob, UNION, INSERT, DELETE — these indicate exploitation attempts.
- →The Snort/ET rule uses a PCRE to match SQL injection patterns (SELECT FROM/USER, UNION SELECT, UPDATE SET, DELETE FROM, INSERT INTO, /* */) inside the "expression" JSON key in the request body.
- →Successful exploitation response contains 'root:.*:0:' regex match in the body (passwd file content) and '"data":{' in the JSON response — use these as confirmation matchers. ↗
- →The feature is enabled by default for the API due to an incorrect implementation of feature flags, even though it is experimental — do not assume the feature is disabled in affected Grafana deployments. ↗
- →The attack requires the duckdb binary to be present in Grafana's $PATH. Audit Grafana host PATH for the presence of the duckdb binary as a prerequisite indicator of exploitability. ↗
- →Any authenticated user with VIEWER or higher permission can trigger the attack — do not restrict detection scope to admin-level sessions. ↗
- ·The SQL Expressions feature was introduced in Grafana 11.0.0. Versions prior to 11.0.0 are not affected. ↗
- ·Red Hat Enterprise Linux 8, 9, 10 and Red Hat Storage 3 ship Grafana versions that do not include this feature and are confirmed not affected. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv9.4CRITICAL
vendor_redhat9.4CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Grafana Command Injection And Local File Inclusion Via Sql Expressions in github.com/grafana/grafana
osv·2024-10-28
CVE-2024-9264 Grafana Command Injection And Local File Inclusion Via Sql Expressions in github.com/grafana/grafana
Grafana Command Injection And Local File Inclusion Via Sql Expressions in github.com/grafana/grafana
Grafana Command Injection And Local File Inclusion Via Sql Expressions in github.com/grafana/grafana.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/grafana/grafana from v11.0.0 before v11.0.6+security-01, from v11.1.0 before v11.1.7+security-01, from v11.2.0 before v11.2.2+security-01.
OSV
CVE-2024-9264: The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input
osv·2024-10-18·CVSS 9.4
CVE-2024-9264 [CRITICAL] CVE-2024-9264: The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input
The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.
GHSA
Grafana Command Injection And Local File Inclusion Via Sql Expressions
ghsa·2024-10-18
CVE-2024-9264 [CRITICAL] CWE-77 Grafana Command Injection And Local File Inclusion Via Sql Expressions
Grafana Command Injection And Local File Inclusion Via Sql Expressions
The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.
OSV
Grafana Command Injection And Local File Inclusion Via Sql Expressions
osv·2024-10-18
CVE-2024-9264 [CRITICAL] Grafana Command Injection And Local File Inclusion Via Sql Expressions
Grafana Command Injection And Local File Inclusion Via Sql Expressions
The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.
Red Hat
grafana: Command injection and local file inclusion via SQL Expressions
vendor_redhat·2024-10-24·CVSS 9.4
CVE-2024-9264 [CRITICAL] CWE-77 grafana: Command injection and local file inclusion via SQL Expressions
grafana: Command injection and local file inclusion via SQL Expressions
The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.
A vulnerability was found in Grafana. An experimental feature named SQL Expressions was recently added to Grafana to allow query output to be post-processed using SQL. These SQL queries were incompletely sanitized, leading t
Suricata
ET WEB_SPECIFIC_APPS Grafana Post-Authentication DuckDB SQL Injection (CVE-2024-9264)
suricata·2024-10-22·CVSS 9.4
CVE-2024-9264 [CRITICAL] ET WEB_SPECIFIC_APPS Grafana Post-Authentication DuckDB SQL Injection (CVE-2024-9264)
ET WEB_SPECIFIC_APPS Grafana Post-Authentication DuckDB SQL Injection (CVE-2024-9264)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Grafana Post-Authentication DuckDB SQL Injection (CVE-2024-9264)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/ds/query|3f|"; startswith; content:"ds|5f|type|3d 5f 5f|expr|5f 5f|"; fast_pattern; content:"expression|3d|true"; http.request_body; content:"|22|expression|22 3a|"; pcre:"/^\x20?\x22[^\x22]*?(?:(?:S(?:HOW\x20(?:C(?:UR(?:DAT|TIM)E|HARACTER\x20SET)|(?:VARI|T)ABLES)|ELECT\x20(?:FROM|USER))|U(?:NION\x20SELEC|PDATE\x20SE)T|DELETE\x20FROM|INSERT\x20INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\x2f\*
Nuclei
Grafana Post-Auth DuckDB - SQL Injection To File Read
nuclei·CVSS 9.4
CVE-2024-9264 [CRITICAL] Grafana Post-Auth DuckDB - SQL Injection To File Read
Grafana Post-Auth DuckDB - SQL Injection To File Read
The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.
Template:
id: CVE-2024-9264
info:
name: Grafana Post-Auth DuckDB - SQL Injection To File Read
author: princechaddha
severity: critical
description: |
The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb`
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
CTF
easy / README
ctf_writeups·CVSS 6.0
[MEDIUM] easy / README
---
layout: default
title: Easy Machines
parent: Machines
nav_order: 1
description: "120+ Easy HTB machine writeups with walkthroughs"
permalink: /machines/easy/
---
# HackTheBox Easy Machines - Comprehensive Reference
> Complete catalog of retired HTB Easy machines with OS, key vulnerability, attack path summary, and quality writeup links.
**Total: 100+ Easy Machines** | Updated: April 2026
---
## Quick Navigation
- [Classic / Legacy Machines (2017-2019)](#classic--legacy-machines-2017-2019)
- [2019-2020 Machines](#2019-2020-machines)
- [2021 Machines](#2021-machines)
- [2022 Machines](#2022-machines)
- [2023 Machines](#2023-machines)
- [2024 Machines (Season 4 & 5)](#2024-machines-season-4--5)
- [2025-2026 Machines (Season 6+)](#2025-2026-machines-season-6)
---
## Classic / Legac
Bugzilla
CVE-2024-9264 grafana: Command injection and local file inclusion via SQL Expressions
bugzilla·2024-10-04·CVSS 8.8
CVE-2024-9264 [HIGH] CVE-2024-9264 grafana: Command injection and local file inclusion via SQL Expressions
CVE-2024-9264 grafana: Command injection and local file inclusion via SQL Expressions
An experimental feature named SQL Expressions was recently added to Grafana (as part of 11.0.0) that allows for query output to be post-processed using SQL; these SQL queries were incompletely sanitized, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack.
Due to an incorrect implementation of feature flags, this experimental feature is enabled by default for the API. However, to be exploitable, the Grafana process’ PATH must contain the DuckDB binary– if DuckDB is not present, the system is not vulnerable. The DuckDB binary is not packaged with Grafana by default, so to be exploitable a system must expl
2024-10-18
Published