Description
The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.
Remediation
References
Related Vulnerabilities
WordPress Plugin Advanced Custom Fields (ACF) Information Disclosure (6.0.2)
MySQL CVE-2018-2817 Vulnerability (CVE-2018-2817)
WordPress Plugin WP e-Commerce-Store Toolkit Privilege Escalation (2.0)
WordPress Plugin YARPP-Yet Another Related Posts Local File Inclusion (5.30.3)
Oracle Database Server CVE-2021-2234 Vulnerability (CVE-2021-2234)