Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CVE-2024-9264 PoC — Grafana SQL Expressions allow for remote code execution

Source
https://github.com/patrickpichler/grafana-CVE-2024-9264
Associated Vulnerability
Title:Grafana SQL Expressions allow for remote code execution (CVE-2024-9264)
Description:The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.
Description
Grafana image with DuckDB binary present vulnerable to exploit CVE-2024-9264
Readme
# grafana-CVE-2024-9264

This repo contains details about CVE-2024-9264. It also builds a vulnerable version of grafana, that can be pulled
from `ghcr.io/patrickpichler/grafana-cve-2024-9264:11.0.0`.
File Snapshot

 [4.0K]  /data/pocs/873001a06bce6f297af32e96b62a3f224ec3eea3
├── [ 326]  Dockerfile
└── [ 200]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →