Glances Browser API Unauthenticated Credential Disclosure Vulnerability

A vulnerability exists in the Glances open-source system monitoring tool, specifically in Central Browser mode, prior to version 4.5.2. The issue arises because the '/api/4/serverslist' endpoint can return raw server objects that include a 'uri' field with embedded HTTP Basic credentials for downstream Glances servers. This occurs when the front Glances Browser/API instance is started without a password, a common practice for internal network deployments. In this scenario, the endpoint is completely unauthenticated, allowing any network user to retrieve reusable credentials for protected downstream servers that have been polled by the browser instance.

Impact

This vulnerability allows for unauthenticated access to credential-bearing fields in the API response, specifically the 'uri' field, which contains embedded authentication credentials for downstream Glances servers. This exposure can lead to unauthorized access to those servers using the disclosed credentials. Additionally, if the front Glances instance is running with a password, the same credential disclosure can be exploited cross-origin due to a separate CORS-related vulnerability.

Reproduction

To reproduce this vulnerability, start a Glances Browser/API instance without a password. Once the instance is running, ensure that it polls at least one protected downstream server, which will be marked as 'PROTECTED' in the server list. After this, the '/api/4/serverslist' endpoint can be accessed without authentication, revealing the 'uri' fields with embedded credentials for the polled downstream servers.

Remediation

Users should update to Glances version 4.5.2 or later, where this vulnerability has been addressed. After upgrading, review the 'outputs' section of the glances.conf file to configure the CORS policy and host header validation as needed.