SC Media reports that over 100,000 instances of open-source data analytics and visualization platform Grafana, almost 19,000 of which are in the U.S., were noted by Netlas.io to be likely impacted by a critical vulnerability within its SQL Expressions feature, tracked as CVE-2024-9264, which could be leveraged to facilitate remote code execution.
While exploitation could be conducted by users having at least "viewer" permissions, installation of the DuckDB binary and its inclusion in the Grafana process environment PATH is still required for a successful compromise, according to Grafana Labs.
Grafana has already issued six new versions of the platform to remediate the security issue.
While patches and upgrades could be done with the installation of release 11.0.6+security-01, 11.1.7+security-01, or 11.2.2+security-01, other users who wish to fix the vulnerability alone could download versions 11.0.5+security-01, 11.1.6+security-01, or 11.2.1+security-01. Immediate action has been urged by the firm.