Description
A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only instances with the sqlExpressions feature toggle enabled are vulnerable.
Remediation
References
Related Vulnerabilities
WordPress Plugin Slider by 10Web-Responsive Image Slider Cross-Site Request Forgery (1.2.22)
phpMyAdmin Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2012-5159)
Oracle Database Server Other Vulnerability (CVE-2002-0856)
Internet Information Services Other Vulnerability (CVE-1999-1544)