Glances Unauthenticated Configuration Secrets Exposure Vulnerability

A vulnerability in Glances versions prior to 4.5.1 allows the /api/4/config REST API endpoint to expose the entire parsed configuration file, glances.conf, without filtering sensitive information. This unfiltered data includes credentials for backend services such as database passwords, API tokens, JWT signing keys, and SSL key passwords. The issue arises because the as_dict() method in the configuration file's parser returns all data without any redaction of sensitive keys. The vulnerability can be exploited by accessing the API endpoint over the network, which could lead to a full compromise of the affected infrastructure by exposing critical database credentials.

Impact

Exploitation of this vulnerability could result in a full compromise of the affected infrastructure, as it exposes database credentials for InfluxDB, MongoDB, PostgreSQL/TimescaleDB, CouchDB, and Cassandra, allowing direct access to all connected backend data stores.

Reproduction

To reproduce this vulnerability, start Glances in the default webserver mode. Once the server is running, access the /api/4/config endpoint from any network-reachable host. This will return the entire configuration file, including sensitive credentials. Specific secrets can be extracted by requesting particular keys from the configuration, such as the JWT secret key or InfluxDB token.

Remediation

Users are advised to upgrade to Glances version 4.5.1, which addresses this vulnerability by implementing a secure version of the configuration API that filters sensitive information. Instructions for upgrading are available in the Glances release notes.