Skip to content

Commit ec3f152

Browse files
ryan-ausJadonWill
ryan-aus
and
JadonWill
authored
Grafana critical update (#1055)
* Grafana Critical Update * Format markdown docs * Updated link * Update 20241021002 Updated vulnerability table with just security-related fix information. * Format markdown docs * Update 20241021002 Removed all auto-generated '\' from table text * Format markdown docs --------- Co-authored-by: ryan-aus <[email protected]> Co-authored-by: JadonWill <[email protected]> Co-authored-by: JadonWill <[email protected]>
1 parent 76d52dd commit ec3f152

File tree

1 file changed

+23
-0
lines changed

1 file changed

+23
-0
lines changed

docs/advisories/20241021002-Grafana-Critical-Update.md

+23
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
# Grafana Releases Critical Update - 20241021002
2+
3+
## Overview
4+
5+
The WA SOC has been made aware of a critical vulnerability in Grafana's SQL Expressions experimental feature where insufficient query sanitisation could lead to command injection and local file inclusion from any user with VIEWER or higher permissions.
6+
7+
The 'duckdb' binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.
8+
9+
## What is vulnerable?
10+
11+
| Product(s) Affected | Version(s) | CVE | CVSS | Severity |
12+
| ------------------- | ------------------------------------------------------------------------------------------------ | --------------------------------------------------------------- | ---- | ------------ |
13+
| Grafana | - 11.0 \< 11.0.5+security-01 <br> - 11.1 \< 11.1.6+security-01 <br> - 11.2 \< 11.2.1+security-01 | [CVE-2024-9264](https://nvd.nist.gov/vuln/detail/CVE-2024-9264) | 9.9 | **Critical** |
14+
15+
## What has been observed?
16+
17+
There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.
18+
19+
## Recommendation
20+
21+
The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 hours* (refer [Patch Management](../guidelines/patch-management.md)):
22+
23+
- Grafana: <https://grafana.com/blog/2024/10/17/grafana-security-release-critical-severity-fix-for-cve-2024-9264/>

0 commit comments

Comments
 (0)