AIKIDO-2024-10432

@grafana/data is vulnerable to Code Injection

Critical

@grafana/data js

AIKIDO-2024-10432: @grafana/data is vulnerable to Code Injection in versions 11.0.0 - 11.0.4, 11.1.0 - 11.1.5 and 11.2.0 - 11.2.0.

Code Injection

Vuln in 11.0.0 - 11.0.4

Fixed in 11.0.5

Vuln in 11.1.0 - 11.1.5

Fixed in 11.1.6

Vuln in 11.2.0 - 11.2.0

Fixed in 11.2.1

CVE-2024-9264

TL;DR

Affected versions of the package are vulnerable to code injection. The vulnerability was in an experimental feature named SQL Expressions that allows for data source query output to be post-processed by executing one or more SQL queries. It does this by passing the query and data to the DuckDB CLI, which executes the SQL against the DataFrame data. These SQL queries were not sanitized completely, leading to a command injection and local file inclusion vulnerability.

Who does this affect?

You're affected if you are using a version which is within vulnerability ranges and the system must have DuckDB installed and included in Grafana’s PATH.

How can it be fixed?

Upgrade grafana/data library to patch version.

Background info

Link to vendor website

🇪🇺 Grauwpoort 1, 9000 Ghent, Belgium

🇺🇸 95 Third St, 2nd Fl, San Francisco, CA 94103, US

AIKIDO-2024-10432

@grafana/data is vulnerable to Code Injection

@grafana/data js

AIKIDO-2024-10432: @grafana/data is vulnerable to Code Injection in versions 11.0.0 - 11.0.4, 11.1.0 - 11.1.5 and 11.2.0 - 11.2.0.

Don’t be left in the dark