Glances Unauthenticated API Exposure Vulnerability Allowing Credential Disclosure

A vulnerability in Glances, an open-source cross-platform system monitoring tool, allows the web server to run without authentication by default when the 'glances -w' option is used. This exposure of the REST API can leak sensitive system information, including process command-lines with credentials such as passwords, API keys, and tokens, to any network client. The issue affects Glances versions prior to 4.5.2.

Impact

The vulnerability allows complete system reconnaissance and credential harvesting from any network client. Exposed endpoints include system information, process lists with full command-line arguments (containing passwords, API keys, tokens), network connections, filesystems, and Docker containers. This exposure could enable lateral movement and targeted attacks using the stolen credentials.

Reproduction

To reproduce this vulnerability, start Glances in web server mode without authentication by using the 'glances -w' command. The server will bind to all network interfaces, allowing any client on the network to access the API. Once the server is running, sensitive information can be retrieved from the API endpoints without any authentication.

Remediation

Users should upgrade to Glances version 4.5.2, which addresses this vulnerability by enabling authentication by default and adding host validation to the web server.