CVE-2024-10452
https://notcve.org/view.php?id=CVE-2024-10452
Organization admins can delete pending invites created in an organization they are not part of. • https://grafana.com/security/security-advisories/cve-2024-10452 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2024-9264 – Grafana SQL Expressions allow for remote code execution
https://notcve.org/view.php?id=CVE-2024-9264
The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions. • https://github.com/z3k0sec/CVE-2024-9264-RCE-Exploit https://github.com/nollium/CVE-2024-9264 https://github.com/z3k0sec/File-Read-CVE-2024-9264 https://github.com/zgimszhd61/CVE-2024-9264 https://github.com/zgimszhd61/CVE-2024-9264-RCE https://github.com/PunitTailor55/Grafana-CVE-2024-9264 https://grafana.com/security/security-advisories/cve-2024-9264 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-8118 – Grafana alerting wrong permission on datasource rule write endpoint
https://notcve.org/view.php?id=CVE-2024-8118
In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules. • https://grafana.com/security/security-advisories/cve-2024-8118 • CWE-653: Improper Isolation or Compartmentalization •
CVE-2024-8996 – Grafana Agent Flow on Windows Unquoted service path
https://notcve.org/view.php?id=CVE-2024-8996
Unquoted Search Path or Element vulnerability in Grafana Agent (Flow mode) on Windows allows Privilege Escalation from Local User to SYSTEM This issue affects Agent Flow: before 0.43.2 • https://github.com/grafana/agent/releases/tag/v0.43.2 https://grafana.com/blog/2024/09/25/grafana-alloy-and-grafana-agent-flow-security-release-high-severity-fix-for-cve-2024-8975-and-cve-2024-8996 https://grafana.com/security/security-advisories/cve-2024-8996 https://github.com/grafana/agent/releases/tag/v0.43.3 • CWE-428: Unquoted Search Path or Element •
CVE-2024-8975 – Grafana Alloy on Windows Unquoted service path
https://notcve.org/view.php?id=CVE-2024-8975
Unquoted Search Path or Element vulnerability in Grafana Alloy on Windows allows Privilege Escalation from Local User to SYSTEM This issue affects Alloy: before 1.3.3, from 1.4.0-rc.0 through 1.4.0-rc.1. • https://github.com/grafana/alloy/releases/tag/v1.4.0 https://grafana.com/blog/2024/09/25/grafana-alloy-and-grafana-agent-flow-security-release-high-severity-fix-for-cve-2024-8975-and-cve-2024-8996 https://grafana.com/security/security-advisories/cve-2024-8975 https://github.com/grafana/alloy/releases/tag/v1.4.1 https://github.com/grafana/alloy/releases/tag/v1.3.4 • CWE-428: Unquoted Search Path or Element •