Security Advisory

Grafana Security Update Advisory (CVE-2024-9264)

  • Oct 21 2024

Overview

 

Grafana Labs(https://grafana.com/) has released a security update that addresses a vulnerability in their products. Users of affected products are advised to update to the latest version.

 

Affected Products

 

CVE-2024-9264

  • Grafana version: 11.X

 

 

Resolved Vulnerabilities

 

Command injection and local file inclusion vulnerability (CVE-2024-9264) in the SQL Expressions experimental feature in Grafana due to user input being passed to a duckdb query without sufficient validation

 

Vulnerability Patches

 

Vulnerability patches have been made available in the latest updates. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

 

CVE-2024-9264

 

Security patch only

  • Grafana version: Release 11.0.5+security-01
  • Grafana version: Release 11.1.6+security-01
  • Grafana version: Release 11.2.1+security-01

 

When applying security patches after upgrading to the latest version of Grafana (released on October 1)

  • Grafana version: Release 11.0.6+security-01
  • Grafana version: Release 11.1.7+security-01
  • Grafana version: Release 11.2.2+security-01

 

Referenced Sites

 

[1] CVE-2024-9264 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-9264

[2] Grafana security release: Critical severity fix for CVE-2024-9264

https://grafana.com/blog/2024/10/17/grafana-security-release-critical-severity-fix-for-cve-2024-9264/

Tags:

Previous Post

Next Post