Glances Cross-Origin Information Disclosure Vulnerability via Unauthenticated REST API

A cross-origin information disclosure vulnerability has been identified in Glances, an open-source cross-platform system monitoring tool. Prior to version 4.5.4, the Glances web server's REST API (/api/4/*) was accessible without authentication and allowed cross-origin requests from any origin due to a permissive CORS policy. This vulnerability enabled malicious websites to read sensitive system information from a running Glances instance in the victim's browser, leading to unauthorized data exfiltration. The affected API endpoint exposed extensive system details, including the process list, memory and disk usage, network interfaces, and running services. The issue has been patched in version 4.5.4.

Impact

Exploitation of this vulnerability allowed remote attackers to read sensitive system information from the victim's Glances instance, including process lists, network configurations, and other system metrics, without authentication or user interaction.

Reproduction

To reproduce this vulnerability, start Glances in web mode, binding to all interfaces. This will expose the REST API endpoint at /api/4/all without authentication. A malicious website can then be created to fetch data from this endpoint, bypassing CORS restrictions and accessing sensitive system information.

Remediation

Users can update to Glances version 4.5.4 or later to address this vulnerability.