x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-q99m-qcv4-fpm7 #3215

GoVulnBot · 2024-10-25T15:01:25Z

Advisory GHSA-q99m-qcv4-fpm7 references a vulnerability in the following Go modules:

Module
github.com/grafana/grafana

Description:
The SQL Expressions experimental feature of Grafana allows for the evaluation of duckdb queries containing user input. These queries are insufficiently sanitized before being passed to duckdb, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The duckdb binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.

References:

Cross references:

github.com/grafana/grafana appears in 51 other report(s):
- data/excluded/GO-2022-0259.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-41244 #259) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0275.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-43798 #275) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0276.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-43813 #276) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0277.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-43815 #277) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0296.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2022-21673 #296) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0311.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2022-21702 #311) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0312.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2022-21703 #312) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0313.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2022-21713 #313) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0753.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana/pkg/api/avatar: GHSA-wc9w-wvq2-ffm9 #753) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0773.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-27358, GHSA-h5rh-w6vm-9ghc #773 #773) EFFECTIVELY_PRIVATE
- data/excluded/GO-2022-0934.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-39226, GHSA-69j6-29vr-p3j9 #934) NOT_IMPORTABLE
- data/excluded/GO-2023-1599.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-7rqg-hjwc-6mjf #1599) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1603.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-hjv9-hm2f-rpcj #1603) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1604.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-xw5p-hw8j-xg4q #1604) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1673.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-3cgw-hfw7-wc7j #1673) NOT_A_VULNERABILITY
- data/excluded/GO-2023-1674.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-qrrg-gw7w-vp76 #1674) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1680.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-7phr-6cc9-4m5q #1680) NOT_GO_CODE
- data/excluded/GO-2023-1843.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-wm7r-3qxj-5xgq #1843) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1844.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-x2w4-c67p-g44j #1844) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1856.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-cvm3-pp2j-chr3 #1856) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1875.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-mpv3-g8m3-3fjc #1875) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1964.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-x5fh-fvvr-892f #1964) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-2120.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-fw9c-75hh-89p6 #2120) EFFECTIVELY_PRIVATE
- data/excluded/GO-2024-2551.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-3hv4-r2fm-h27f #2551) EFFECTIVELY_PRIVATE
- data/reports/GO-2022-0342.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2018-18623 #342)
- data/reports/GO-2022-0707.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana/pkg/api: GHSA-rgjg-66cx-5x9m #707)
- data/reports/GO-2024-2483.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-6wh2-8hw7-jw94 #2483)
- data/reports/GO-2024-2510.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-v5gq-qvjq-8p53 #2510)
- data/reports/GO-2024-2513.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-3jq7-8ph8-63xm #2513)
- data/reports/GO-2024-2515.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-7m2x-qhrq-rp8h #2515)
- data/reports/GO-2024-2516.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-9hv8-4frf-cprf #2516)
- data/reports/GO-2024-2517.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-ccmg-w4xm-p28v #2517)
- data/reports/GO-2024-2519.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-m25m-5778-fm22 #2519)
- data/reports/GO-2024-2520.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-mvpr-q6rh-8vrp #2520)
- data/reports/GO-2024-2523.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-xr3x-62qw-vc4w #2523)
- data/reports/GO-2024-2629.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-5mxf-42f5-j782 #2629)
- data/reports/GO-2024-2661.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana/pkg/tsdb/mysql: GHSA-4pwp-cx67-5cpx #2661)
- data/reports/GO-2024-2697.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-67rv-qpw2-6qrr #2697)
- data/reports/GO-2024-2843.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-2x6g-h2hg-rq84 #2843)
- data/reports/GO-2024-2844.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-3p62-42x7-gxg5 #2844)
- data/reports/GO-2024-2847.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-ff5c-938w-8c9q #2847)
- data/reports/GO-2024-2848.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-gj7m-853r-289r #2848)
- data/reports/GO-2024-2851.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-jv32-5578-pxjc #2851)
- data/reports/GO-2024-2852.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-mx47-6497-3fv2 #2852)
- data/reports/GO-2024-2854.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-p978-56hq-r492 #2854)
- data/reports/GO-2024-2855.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-rhxj-gh46-jvw8 #2855)
- data/reports/GO-2024-2856.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-vqc4-mpj8-jxch #2856)
- data/reports/GO-2024-2857.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-vw7q-p2qg-4m5f #2857)
- data/reports/GO-2024-2858.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-x744-mm8v-vpgr #2858)
- data/reports/GO-2024-2867.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-4724-7jwc-3fpw #2867)
- data/reports/GO-2024-3079.yaml (x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-hh8p-374f-qgr5 #3079)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/grafana/grafana
      non_go_versions:
        - introduced: TODO (earliest fixed "11.2.2+security-01", vuln range ">= 11.2.0, <= 11.2.2")
        - introduced: TODO (earliest fixed "11.1.7+security-01", vuln range ">= 11.1.0, <= 11.1.7")
        - introduced: TODO (earliest fixed "11.0.6+security-01", vuln range ">= 11.0.0, <= 11.0.6")
      vulnerable_at: 5.4.5+incompatible
summary: Grafana Command Injection And Local File Inclusion Via Sql Expressions in github.com/grafana/grafana
cves:
    - CVE-2024-9264
ghsas:
    - GHSA-q99m-qcv4-fpm7
references:
    - advisory: https://github.com/advisories/GHSA-q99m-qcv4-fpm7
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-9264
    - fix: https://github.com/grafana/grafana/pull/81666
    - web: https://grafana.com/blog/2024/10/17/grafana-security-release-critical-severity-fix-for-cve-2024-9264
    - web: https://grafana.com/security/security-advisories/cve-2024-9264
notes:
    - fix: 'module merge error: could not merge versions of module github.com/grafana/grafana: invalid or non-canonical semver version (found TODO (earliest fixed "11.2.2+security-01", vuln range ">= 11.2.0, <= 11.2.2"))'
source:
    id: GHSA-q99m-qcv4-fpm7
    created: 2024-10-25T15:01:24.992256131Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

gopherbot · 2024-10-28T15:11:55Z

Change https://go.dev/cl/622835 mentions this issue: data/reports: add 16 unreviewed reports

tatianab added the triaged label Oct 28, 2024

tatianab self-assigned this Oct 28, 2024

gopherbot closed this as completed in 2b20095 Oct 28, 2024

GoVulnBot mentioned this issue Oct 29, 2024

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-66c4-2g2v-54qw #3240

Closed

GoVulnBot mentioned this issue Jan 31, 2025

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-wxcc-2f3q-4h58 #3438

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-q99m-qcv4-fpm7 #3215

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-q99m-qcv4-fpm7 #3215

GoVulnBot commented Oct 25, 2024

gopherbot commented Oct 28, 2024

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-q99m-qcv4-fpm7 #3215

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-q99m-qcv4-fpm7 #3215

Comments

GoVulnBot commented Oct 25, 2024

gopherbot commented Oct 28, 2024