Glances SQL Injection Vulnerability in TimescaleDB Export Module

A SQL injection vulnerability has been identified in the TimescaleDB export module of Glances, a cross-platform system monitoring tool. This issue affects versions prior to 4.5.1. The vulnerability arises because the module constructs SQL queries by concatenating strings with unsanitized system monitoring data. While the normalize() method attempts to wrap string values in single quotes, it fails to escape single quotes within the data. This oversight allows for easy SQL injection through attacker-controlled inputs such as process names, filesystem mount points, network interface names, or container names.

Impact

Exploitation of this vulnerability allows for SQL injection into TimescaleDB, with potential consequences including data manipulation or destruction, unauthorized data access, and in some cases, remote code execution or privilege escalation on the PostgreSQL instance.

Reproduction

To reproduce this vulnerability, create a process with a name that includes a SQL injection payload, such as a command to copy data into a file. Then, run Glances with the TimescaleDB export option, ensuring the process filter allows the crafted process name. The injected SQL payload will be executed, demonstrating the injection vulnerability.

Remediation

Users are advised to upgrade to Glances version 4.5.1, which addresses this vulnerability by sanitizing input data to prevent SQL injection.