Описание
The SQL Expressions experimental feature of Grafana allows for the evaluation of duckdb queries containing user input. These queries are insufficiently sanitized before being passed to duckdb, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The duckdb binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.
A vulnerability was found in Grafana. An experimental feature named SQL Expressions was recently added to Grafana to allow query output to be post-processed using SQL. These SQL queries were incompletely sanitized, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission can execute this attack.
Отчет
This vulnerability is classified as critical instead of important because it allows for command injection and local file inclusion, potentially leading to arbitrary code execution or unauthorized access to sensitive files. The exploit can be carried out by any user with VIEWER or higher permissions, significantly increasing the attack surface. Moreover, due to an incorrect implementation of feature flags, the SQL Expressions feature is enabled by default for the API, making it more likely to be exposed in affected deployments. Although the vulnerability requires the presence of the DuckDB binary in the Grafana process's PATH, systems that meet this condition are at significant risk. It’s important to note that this issue was introduced in a Grafana version not included in any Red Hat offerings, ensuring that Red Hat customers are not impacted.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 8 | grafana | Not affected | ||
| Red Hat Enterprise Linux 9 | grafana | Not affected | ||
| Red Hat Storage 3 | grafana | Not affected |
Показывать по
Дополнительная информация
Статус:
9.9 Critical
CVSS3
Связанные уязвимости
The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.
The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.
The SQL Expressions experimental feature of Grafana allows for the eva ...
Grafana Command Injection And Local File Inclusion Via Sql Expressions
Уязвимость функции Expressions платформы для мониторинга и наблюдения Grafana, позволяющая нарушителю выполнить произвольный код
9.9 Critical
CVSS3