Glances DuckDB Export SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the DuckDB export module of Glances, a cross-platform system monitoring tool. This issue arises because table and column names are directly inserted into SQL statements without proper sanitization, using f-strings. While DuckDB's INSERT values are safely parameterized, the construction of Data Definition Language (DDL) statements and table name references do not escape or parameterize identifier names. This vulnerability affects Glances versions through 4.5.2-dev01.

Impact

Exploitation of this vulnerability allows for SQL injection via unparameterized DDL statements, which could lead to unauthorized manipulation of the DuckDB database, such as dropping tables or executing arbitrary SQL commands. Additionally, if any Glances plugin introduces dynamic keys from external data, the injection risk would increase.

Reproduction

To reproduce this vulnerability, first ensure that Glances is running a version prior to 4.5.2 and that the DuckDB export feature is enabled. Then, use a custom plugin that generates monitoring statistics with SQL metacharacters in the keys, such as column names. When Glances exports the data to DuckDB, the unescaped metacharacters will be executed as SQL commands, demonstrating the injection vulnerability.

Remediation

Users can upgrade to Glances version 4.5.2, which addresses this vulnerability by applying the same parameterization approach used for the TimescaleDB export module. After updating, it's recommended to recreate any DuckDB databases that might have been affected by the previous vulnerability.