The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| github.com/grafana/grafana(Go) | 11.0.0 | 11.0.6+security-01 | N/A |
| github.com/grafana/grafana(Go) | 11.1.0 | 11.1.7+security-01 | N/A |
| github.com/grafana/grafana(Go) | 11.2.0 | 11.2.2+security-01 | N/A |
CVSS Metrics
