CVE-2024-9264 PoC — Grafana SQL Expressions allow for remote code execution

Source

https://github.com/z3k0sec/File-Read-CVE-2024-9264

Associated Vulnerability

Title:Grafana SQL Expressions allow for remote code execution (CVE-2024-9264)
Description:The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.

Description

File Read Proof of Concept for CVE-2024-9264

Readme

# File-Read-CVE-2024-9264
Proof Of Concept for File Read in Grafana (CVE-2024-9264)

## Prerequisites
- authenticated Grafana user with `Viewer` permissions or higher
- DuckDB binary must be installed and accessible through Grafana's PATH

## Impacted version
Grafana >= v11.0.0 (all v11.x.y are impacted)

## Usage
```
python3 poc.py [--url <target>] [--user <username>] [--password <password>] [--file <path>]
```

## Example
```
python3 poc.py --url http://127.0.0.1:3000 --user eviluser --password eviluser --file /etc/passwd
```

## Disclaimer

This script is intended for educational purposes and for use in controlled environments where you have permission to test the security of the system. Misuse of this tool could lead to legal consequences.

## More 
https://grafana.com/blog/2024/10/17/grafana-security-release-critical-severity-fix-for-cve-2024-9264/

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!