Command Injection and Local File Inclusion in Grafana: CVE-2024-9264


The SonicWall Capture Labs threat research team became aware of a critical vulnerability in Grafana, assessed its impact and developed mitigation measures.

Grafana is a multi-platform open-source analytics and visualization solution that can produce charts, graphs and alerts according to the data. Identified as CVE-2024-9264, Grafana versions 11.0.x, 11.1.x and 11.2.x allows an attacker with ‘viewer’ or higher permission to achieve command injection and local file inclusion (LFI) using the experimental SQL expressions feature, earning a critical CVSS score of 9.9. Considering a publicly available proof of concept (PoC) code exists for this vulnerability and the popularity of Grafana, exploitation is more likely in the upcoming days.

Read more…
Source: Sonicwall


Sign up for our Newsletter


Related:

  • NSA Advocates Data Sharing Framework

    June 23, 2017

    The economics of cybersecurity are skewed in favor of attackers, who invest once and can launch thousands of attacks with a piece of malware or exploit kit. That’s why Neal Ziring, technical director for the NSA’s Capabilities Directorate, wants to flip the financial equation on bad guys. “We need to conduct defenses in a way that ...