Share
## https://sploitus.com/exploit?id=95B9043B-AF65-5427-B628-74D65081A6A2
# File-Read-CVE-2024-9264
Proof Of Concept for File Read in Grafana (CVE-2024-9264)

## Prerequisites
- authenticated Grafana user with `Viewer` permissions or higher
- DuckDB binary must be installed and accessible through Grafana's PATH

## Impacted version
Grafana >= v11.0.0 (all v11.x.y are impacted)

## Usage
```
python3 poc.py [--url <target>] [--user <username>] [--password <password>] [--file <path>]
```

## Example
```
python3 poc.py --url http://127.0.0.1:3000 --user eviluser --password eviluser --file /etc/passwd
```

## Disclaimer

This script is intended for educational purposes and for use in controlled environments where you have permission to test the security of the system. Misuse of this tool could lead to legal consequences.

## More 
https://zekosec.com/blog/file-read-grafana-cve-2024-9264/
https://grafana.com/blog/2024/10/17/grafana-security-release-critical-severity-fix-for-cve-2024-9264/