| Description: | | The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The vulnerability affects grafana of version 11.0.0-11.0.5, 11.1.0-11.1.6 and 11.2.0-11.2.1. The `duckdb` binary must be present in Grafana $PATH for this attack to function; by default, this binary is not installed in Grafana distributions. |