CVE-2024-9264 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2024-9264 Interim 1 20 2026-03-05T02:55:18Z current 2024-10-21T23:48:34Z 2026-03-05T02:55:18Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2024-9264 The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/sle-security-updates/2024-November/019776.html E-Mail link for SUSE-SU-2024:3911-1 https://lists.suse.com/pipermail/sle-updates/2025-June/040353.html E-Mail link for SUSE-SU-2025:01985-1 https://lists.suse.com/pipermail/sle-updates/2025-June/040351.html E-Mail link for SUSE-SU-2025:01987-1 https://lists.suse.com/pipermail/sle-updates/2025-June/040349.html E-Mail link for SUSE-SU-2025:01989-1 https://lists.suse.com/pipermail/sle-updates/2025-June/040347.html E-Mail link for SUSE-SU-2025:01991-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3GBL6IN35EDC2YQIKBPTX7XQQ67KRPAM/ E-Mail link for openSUSE-SU-2024:0350-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RVNCO4DCVAR5DOXQHKMKG3RQOMTUK2C7/ E-Mail link for openSUSE-SU-2024:14431-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XTEQAM75LF5DZCFX3MOH4IT3DWP5ZTL6/ E-Mail link for openSUSE-SU-2024:14447-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings Container suse/sl-micro/6.0/baremetal-os-container:latest Container suse/sl-micro/6.0/toolbox:latest Image SL-Micro Image SL-Micro-Base Image SL-Micro-Base-RT Image SL-Micro-Base-RT-SelfInstall Image SL-Micro-Base-RT-encrypted Image SL-Micro-Base-SelfInstall Image SL-Micro-Base-encrypted Image SL-Micro-Base-qcow Image SL-Micro-Default Image SL-Micro-Default-SelfInstall Image SL-Micro-Default-encrypted Image SL-Micro-Default-qcow Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE Image SLES15-SP4-Manager-Server-4-3-BYOS Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE SUSE Linux Enterprise Module for Package Hub 15 SP5 SUSE Linux Enterprise Module for Package Hub 15 SP6 SUSE Linux Enterprise Module for Package Hub 15 SP7 SUSE Linux Enterprise Server 12 SP3-TERADATA SUSE Linux Enterprise Server 12 SP5-LTSS SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 SUSE Manager Client Tools 12 SUSE Manager Client Tools 15 SUSE Manager Client Tools for SLE Micro 5 SUSE Manager Proxy Module 4.3 SUSE Manager Server 4.3 openSUSE Leap 15.5 openSUSE Leap 15.6 openSUSE Tumbleweed firewalld-prometheus-config-0.1-150000.3.62.2 golang-github-prometheus-alertmanager-0.26.0-1.31.2 golang-github-prometheus-node_exporter-1.9.1-1.36.2 golang-github-prometheus-prometheus-2.53.4-1.60.2 golang-github-prometheus-prometheus-2.53.4-150000.3.62.2 govulncheck-vulndb-0.0.20241030T212825-1.1 govulncheck-vulndb-0.0.20250814T182633-160000.1.2 grafana grafana-11.3.0-1.1 grafana-11.5.5-1.79.2 grafana-11.5.5-150000.1.79.1 grafana-11.5.5-150200.3.72.2 less-633-3.1 prometheus-blackbox_exporter-0.26.0-1.27.1 prometheus-blackbox_exporter-0.26.0-150000.1.27.1 release-notes-susemanager-4.3.15.2-150400.3.133.1 less-633-3.1 as a component of Container suse/sl-micro/6.0/baremetal-os-container:latest less-633-3.1 as a component of Container suse/sl-micro/6.0/toolbox:latest less-633-3.1 as a component of Image SL-Micro less-633-3.1 as a component of Image SL-Micro-Base less-633-3.1 as a component of Image SL-Micro-Base-RT less-633-3.1 as a component of Image SL-Micro-Base-RT-SelfInstall less-633-3.1 as a component of Image SL-Micro-Base-RT-encrypted less-633-3.1 as a component of Image SL-Micro-Base-SelfInstall less-633-3.1 as a component of Image SL-Micro-Base-encrypted less-633-3.1 as a component of Image SL-Micro-Base-qcow less-633-3.1 as a component of Image SL-Micro-Default less-633-3.1 as a component of Image SL-Micro-Default-SelfInstall less-633-3.1 as a component of Image SL-Micro-Default-encrypted less-633-3.1 as a component of Image SL-Micro-Default-qcow less-633-3.1 as a component of Image SLE-Micro less-633-3.1 as a component of Image SLE-Micro-Azure less-633-3.1 as a component of Image SLE-Micro-BYOS less-633-3.1 as a component of Image SLE-Micro-BYOS-Azure less-633-3.1 as a component of Image SLE-Micro-BYOS-EC2 less-633-3.1 as a component of Image SLE-Micro-BYOS-GCE less-633-3.1 as a component of Image SLE-Micro-EC2 less-633-3.1 as a component of Image SLE-Micro-GCE release-notes-susemanager-4.3.15.2-150400.3.133.1 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS release-notes-susemanager-4.3.15.2-150400.3.133.1 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure release-notes-susemanager-4.3.15.2-150400.3.133.1 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 release-notes-susemanager-4.3.15.2-150400.3.133.1 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE grafana-11.5.5-150200.3.72.2 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 grafana-11.5.5-150200.3.72.2 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP7 golang-github-prometheus-node_exporter-1.9.1-1.36.2 as a component of SUSE Linux Enterprise Server 12 SP3-TERADATA golang-github-prometheus-node_exporter-1.9.1-1.36.2 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS govulncheck-vulndb-0.0.20250814T182633-160000.1.2 as a component of SUSE Linux Enterprise Server 16.0 golang-github-prometheus-node_exporter-1.9.1-1.36.2 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 golang-github-prometheus-alertmanager-0.26.0-1.31.2 as a component of SUSE Manager Client Tools 12 golang-github-prometheus-node_exporter-1.9.1-1.36.2 as a component of SUSE Manager Client Tools 12 golang-github-prometheus-prometheus-2.53.4-1.60.2 as a component of SUSE Manager Client Tools 12 grafana-11.5.5-1.79.2 as a component of SUSE Manager Client Tools 12 prometheus-blackbox_exporter-0.26.0-1.27.1 as a component of SUSE Manager Client Tools 12 firewalld-prometheus-config-0.1-150000.3.62.2 as a component of SUSE Manager Client Tools 15 golang-github-prometheus-prometheus-2.53.4-150000.3.62.2 as a component of SUSE Manager Client Tools 15 grafana-11.5.5-150000.1.79.1 as a component of SUSE Manager Client Tools 15 prometheus-blackbox_exporter-0.26.0-150000.1.27.1 as a component of SUSE Manager Client Tools 15 prometheus-blackbox_exporter-0.26.0-150000.1.27.1 as a component of SUSE Manager Client Tools for SLE Micro 5 prometheus-blackbox_exporter-0.26.0-150000.1.27.1 as a component of SUSE Manager Proxy Module 4.3 release-notes-susemanager-4.3.15.2-150400.3.133.1 as a component of SUSE Manager Server 4.3 grafana-11.5.5-150200.3.72.2 as a component of openSUSE Leap 15.6 prometheus-blackbox_exporter-0.26.0-150000.1.27.1 as a component of openSUSE Leap 15.6 govulncheck-vulndb-0.0.20241030T212825-1.1 as a component of openSUSE Tumbleweed grafana-11.3.0-1.1 as a component of openSUSE Tumbleweed grafana as a component of SUSE Linux Enterprise Module for Package Hub 15 SP5 grafana as a component of openSUSE Leap 15.5 The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions. CVE-2024-9264 Container suse/sl-micro/6.0/baremetal-os-container:latest:less-633-3.1 Container suse/sl-micro/6.0/toolbox:latest:less-633-3.1 Image SL-Micro:less-633-3.1 Image SL-Micro-Base:less-633-3.1 Image SL-Micro-Base-RT:less-633-3.1 Image SL-Micro-Base-RT-SelfInstall:less-633-3.1 Image SL-Micro-Base-RT-encrypted:less-633-3.1 Image SL-Micro-Base-SelfInstall:less-633-3.1 Image SL-Micro-Base-VMware:less-633-3.1 Image SL-Micro-Base-encrypted:less-633-3.1 Image SL-Micro-Base-qcow:less-633-3.1 Image SL-Micro-Default:less-633-3.1 Image SL-Micro-Default-SelfInstall:less-633-3.1 Image SL-Micro-Default-VMware:less-633-3.1 Image SL-Micro-Default-encrypted:less-633-3.1 Image SL-Micro-Default-qcow:less-633-3.1 Image SLE-Micro:less-633-3.1 Image SLE-Micro-Azure:less-633-3.1 Image SLE-Micro-BYOS:less-633-3.1 Image SLE-Micro-BYOS-Azure:less-633-3.1 Image SLE-Micro-BYOS-EC2:less-633-3.1 Image SLE-Micro-BYOS-GCE:less-633-3.1 Image SLE-Micro-EC2:less-633-3.1 Image SLE-Micro-GCE:less-633-3.1 Image SLES15-SP4-Manager-Server-4-3-BYOS:release-notes-susemanager-4.3.15.2-150400.3.133.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure:release-notes-susemanager-4.3.15.2-150400.3.133.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2:release-notes-susemanager-4.3.15.2-150400.3.133.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE:release-notes-susemanager-4.3.15.2-150400.3.133.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:grafana-11.5.5-150200.3.72.2 SUSE Linux Enterprise Module for Package Hub 15 SP7:grafana-11.5.5-150200.3.72.2 SUSE Linux Enterprise Server 12 SP3-TERADATA:golang-github-prometheus-node_exporter-1.9.1-1.36.2 SUSE Linux Enterprise Server 12 SP5-LTSS:golang-github-prometheus-node_exporter-1.9.1-1.36.2 SUSE Linux Enterprise Server 16.0:govulncheck-vulndb-0.0.20250814T182633-160000.1.2 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:golang-github-prometheus-node_exporter-1.9.1-1.36.2 SUSE Manager Client Tools 12:golang-github-prometheus-alertmanager-0.26.0-1.31.2 SUSE Manager Client Tools 12:golang-github-prometheus-node_exporter-1.9.1-1.36.2 SUSE Manager Client Tools 12:golang-github-prometheus-prometheus-2.53.4-1.60.2 SUSE Manager Client Tools 12:grafana-11.5.5-1.79.2 SUSE Manager Client Tools 12:prometheus-blackbox_exporter-0.26.0-1.27.1 SUSE Manager Client Tools 15:firewalld-prometheus-config-0.1-150000.3.62.2 SUSE Manager Client Tools 15:golang-github-prometheus-prometheus-2.53.4-150000.3.62.2 SUSE Manager Client Tools 15:grafana-11.5.5-150000.1.79.1 SUSE Manager Client Tools 15:prometheus-blackbox_exporter-0.26.0-150000.1.27.1 SUSE Manager Client Tools for SLE Micro 5:prometheus-blackbox_exporter-0.26.0-150000.1.27.1 SUSE Manager Proxy Module 4.3:prometheus-blackbox_exporter-0.26.0-150000.1.27.1 SUSE Manager Server 4.3:release-notes-susemanager-4.3.15.2-150400.3.133.1 openSUSE Leap 15.6:grafana-11.5.5-150200.3.72.2 openSUSE Leap 15.6:prometheus-blackbox_exporter-0.26.0-150000.1.27.1 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241030T212825-1.1 openSUSE Tumbleweed:grafana-11.3.0-1.1 SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana openSUSE Leap 15.5:grafana critical 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H