x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-q99m-qcv4-fpm7

[GoVulnBot]

Advisory GHSA-q99m-qcv4-fpm7 references a vulnerability in the following Go modules:

Module
github.com/grafana/grafana

Description: The SQL Expressions experimental feature of Grafana allows for the evaluation of duckdb queries containing user input. These queries are insufficiently sanitized before being passed to duckdb, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The duckdb binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.

References:

• ADVISORY: https://github.com/advisories/GHSA-q99m-qcv4-fpm7
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-9264
• FIX: https://github.com/grafana/grafana/pull/81666
• WEB: https://grafana.com/blog/2024/10/17/grafana-security-release-critical-severity-fix-for-cve-2024-9264
• WEB: https://grafana.com/security/security-advisories/cve-2024-9264

Cross references:

• github.com/grafana/grafana appears in 51 other report(s):
  • data/excluded/GO-2022-0259.yaml (https://github.com/golang/vulndb/issues/259) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0275.yaml (https://github.com/golang/vulndb/issues/275) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0276.yaml (https://github.com/golang/vulndb/issues/276) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0277.yaml (https://github.com/golang/vulndb/issues/277) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0296.yaml (https://github.com/golang/vulndb/issues/296) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0311.yaml (https://github.com/golang/vulndb/issues/311) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0312.yaml (https://github.com/golang/vulndb/issues/312) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0313.yaml (https://github.com/golang/vulndb/issues/313) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0753.yaml (https://github.com/golang/vulndb/issues/753) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0773.yaml (https://github.com/golang/vulndb/issues/773) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0934.yaml (https://github.com/golang/vulndb/issues/934) NOT_IMPORTABLE
  • data/excluded/GO-2023-1599.yaml (https://github.com/golang/vulndb/issues/1599) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1603.yaml (https://github.com/golang/vulndb/issues/1603) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1604.yaml (https://github.com/golang/vulndb/issues/1604) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1673.yaml (https://github.com/golang/vulndb/issues/1673) NOT_A_VULNERABILITY
  • data/excluded/GO-2023-1674.yaml (https://github.com/golang/vulndb/issues/1674) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1680.yaml (https://github.com/golang/vulndb/issues/1680) NOT_GO_CODE
  • data/excluded/GO-2023-1843.yaml (https://github.com/golang/vulndb/issues/1843) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1844.yaml (https://github.com/golang/vulndb/issues/1844) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1856.yaml (https://github.com/golang/vulndb/issues/1856) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1875.yaml (https://github.com/golang/vulndb/issues/1875) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1964.yaml (https://github.com/golang/vulndb/issues/1964) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2120.yaml (https://github.com/golang/vulndb/issues/2120) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2024-2551.yaml (https://github.com/golang/vulndb/issues/2551) EFFECTIVELY_PRIVATE
  • data/reports/GO-2022-0342.yaml (https://github.com/golang/vulndb/issues/342)
  • data/reports/GO-2022-0707.yaml (https://github.com/golang/vulndb/issues/707)
  • data/reports/GO-2024-2483.yaml (https://github.com/golang/vulndb/issues/2483)
  • data/reports/GO-2024-2510.yaml (https://github.com/golang/vulndb/issues/2510)
  • data/reports/GO-2024-2513.yaml (https://github.com/golang/vulndb/issues/2513)
  • data/reports/GO-2024-2515.yaml (https://github.com/golang/vulndb/issues/2515)
  • data/reports/GO-2024-2516.yaml (https://github.com/golang/vulndb/issues/2516)
  • data/reports/GO-2024-2517.yaml (https://github.com/golang/vulndb/issues/2517)
  • data/reports/GO-2024-2519.yaml (https://github.com/golang/vulndb/issues/2519)
  • data/reports/GO-2024-2520.yaml (https://github.com/golang/vulndb/issues/2520)
  • data/reports/GO-2024-2523.yaml (https://github.com/golang/vulndb/issues/2523)
  • data/reports/GO-2024-2629.yaml (https://github.com/golang/vulndb/issues/2629)
  • data/reports/GO-2024-2661.yaml (https://github.com/golang/vulndb/issues/2661)
  • data/reports/GO-2024-2697.yaml (https://github.com/golang/vulndb/issues/2697)
  • data/reports/GO-2024-2843.yaml (https://github.com/golang/vulndb/issues/2843)
  • data/reports/GO-2024-2844.yaml (https://github.com/golang/vulndb/issues/2844)
  • data/reports/GO-2024-2847.yaml (https://github.com/golang/vulndb/issues/2847)
  • data/reports/GO-2024-2848.yaml (https://github.com/golang/vulndb/issues/2848)
  • data/reports/GO-2024-2851.yaml (https://github.com/golang/vulndb/issues/2851)
  • data/reports/GO-2024-2852.yaml (https://github.com/golang/vulndb/issues/2852)
  • data/reports/GO-2024-2854.yaml (https://github.com/golang/vulndb/issues/2854)
  • data/reports/GO-2024-2855.yaml (https://github.com/golang/vulndb/issues/2855)
  • data/reports/GO-2024-2856.yaml (https://github.com/golang/vulndb/issues/2856)
  • data/reports/GO-2024-2857.yaml (https://github.com/golang/vulndb/issues/2857)
  • data/reports/GO-2024-2858.yaml (https://github.com/golang/vulndb/issues/2858)
  • data/reports/GO-2024-2867.yaml (https://github.com/golang/vulndb/issues/2867)
  • data/reports/GO-2024-3079.yaml (https://github.com/golang/vulndb/issues/3079)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/grafana/grafana
      non_go_versions:
        - introduced: TODO (earliest fixed "11.2.2+security-01", vuln range ">= 11.2.0, <= 11.2.2")
        - introduced: TODO (earliest fixed "11.1.7+security-01", vuln range ">= 11.1.0, <= 11.1.7")
        - introduced: TODO (earliest fixed "11.0.6+security-01", vuln range ">= 11.0.0, <= 11.0.6")
      vulnerable_at: 5.4.5+incompatible
summary: Grafana Command Injection And Local File Inclusion Via Sql Expressions in github.com/grafana/grafana
cves:
    - CVE-2024-9264
ghsas:
    - GHSA-q99m-qcv4-fpm7
references:
    - advisory: https://github.com/advisories/GHSA-q99m-qcv4-fpm7
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-9264
    - fix: https://github.com/grafana/grafana/pull/81666
    - web: https://grafana.com/blog/2024/10/17/grafana-security-release-critical-severity-fix-for-cve-2024-9264
    - web: https://grafana.com/security/security-advisories/cve-2024-9264
notes:
    - fix: 'module merge error: could not merge versions of module github.com/grafana/grafana: invalid or non-canonical semver version (found TODO (earliest fixed "11.2.2+security-01", vuln range ">= 11.2.0, <= 11.2.2"))'
source:
    id: GHSA-q99m-qcv4-fpm7
    created: 2024-10-25T15:01:24.992256131Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/622835 mentions this issue: data/reports: add 16 unreviewed reports