cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2024-9264,https://securityvulnerability.io/vulnerability/CVE-2024-9264,Grafana SQL Expressions Vulnerability: Command Injection and Local File Inclusion Risks,"The experimental SQL Expressions feature in Grafana enables users to evaluate `duckdb` queries which can contain user input. However, the queries are inadequately sanitized prior to being processed by `duckdb`, creating a vulnerability that could lead to command injection and local file inclusion. Users with VIEWER or higher permissions are capable of executing this type of attack. Additionally, the successful execution of this attack requires the `duckdb` binary to be present in Grafana's execution $PATH, which is not installed by default in Grafana distributions. This vulnerability emphasizes the need for robust input validation in applications that allow user-derived queries.",Grafana,Grafana,8.8,HIGH,0.18512000143527985,false,,true,false,true,2024-10-17T01:00:00.000Z,true,true,true,2024-10-23T08:52:02.695Z,2024-10-18T03:20:52.489Z,9915