Entreprise d'experts en Sécurité Informatique : Audits et conseils en cybersécurité
Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com


CVE-2024-9264

Description

The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.

POC

Reference

No PoCs from references.

Github

- https://github.com/12442RF/POC

- https://github.com/14mb1v45h/cyberspace061

- https://github.com/20142995/nuclei-templates

- https://github.com/Bhanunamikaze/VaktScan

- https://github.com/Cythonic1/CVE-2024-9264

- https://github.com/DMW11525708/wiki

- https://github.com/Exerrdev/CVE-2024-9264-Fixed

- https://github.com/GitHubForSnap/grafana-gael

- https://github.com/J1ezds/Vulnerability-Wiki-page

- https://github.com/Lern0n/Lernon-POC

- https://github.com/Linxloop/fork_POC

- https://github.com/PuddinCat/GithubRepoSpider

- https://github.com/PunitTailor55/Grafana-CVE-2024-9264

- https://github.com/Royall-Researchers/CVE-2024-9264

- https://github.com/SrMeirins/HackingVault

- https://github.com/TalMaIka/Planning

- https://github.com/Threekiii/Awesome-POC

- https://github.com/Vishnu-S07/HTB-Planning-Writeup

- https://github.com/XiaomingX/awesome-poc-for-red-team

- https://github.com/a1batr0ssG/VulhubExpand

- https://github.com/adysec/POC

- https://github.com/amalpvatayam67/day05-grafana-sqlexpr-lab

- https://github.com/byt3loss/Nuclei-Blues

- https://github.com/cyb3r-w0lf/nuclei-template-collection

- https://github.com/defHawk-tech/CVEs

- https://github.com/eeeeeeeeee-code/POC

- https://github.com/fcoomans/HTB-machines

- https://github.com/fkie-cad/nvd-json-data-feeds

- https://github.com/greenberglinken/2023hvv_1

- https://github.com/hacieda/planning.htb

- https://github.com/hsvhora/research_blogs

- https://github.com/iemotion/POC

- https://github.com/laoa1573/wy876

- https://github.com/lgturatti/techdrops

- https://github.com/nollium/CVE-2024-9264

- https://github.com/nomi-sec/PoC-in-GitHub

- https://github.com/oLy0/Vulnerability

- https://github.com/patrickpichler/grafana-CVE-2024-9264

- https://github.com/plbplbp/loudong001

- https://github.com/plzheheplztrying/cve_monitor

- https://github.com/punitdarji/Grafana-CVE-2024-9264

- https://github.com/ruizii/CVE-2024-9264

- https://github.com/rvizx/CVE-2024-9264

- https://github.com/solanav/grimoire

- https://github.com/thexnumb/thexwriteup

- https://github.com/trganda/starrlist

- https://github.com/wy876/POC

- https://github.com/wy876/wiki

- https://github.com/z3k0sec/CVE-2024-9264-RCE-Exploit

- https://github.com/z3k0sec/File-Read-CVE-2024-9264

- https://github.com/zgimszhd61/CVE-2024-9264

- https://github.com/zgimszhd61/CVE-2024-9264-RCE

- https://github.com/zulloper/cve-poc