Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-cvwp-r2g2-j824

Опубликовано: 16 мар. 2026
Источник: github
Github: Прошло ревью
CVSS3: 7.5

Описание

Glances has Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Credentials

Summary

The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the /api/v4/config endpoints by introducing as_dict_secure() redaction. However, the /api/v4/args and /api/v4/args/{item} endpoints were not addressed by this fix. These endpoints return the complete command-line arguments namespace via vars(self.args), which includes the password hash (salt + pbkdf2_hmac), SNMP community strings, SNMP authentication keys, and the configuration file path. When Glances runs without --password (the default), these endpoints are accessible without any authentication.

Details

The secrets exposure fix (GHSA-gh4x, commit 5d3de60) modified three config-related endpoints to use as_dict_secure() when no password is configured:

# glances/outputs/glances_restful_api.py:1168 (FIXED) args_json = self.config.as_dict() if self.args.password else self.config.as_dict_secure()

However, the _api_args and _api_args_item endpoints were not part of this fix and still return all arguments without any sanitization:

# glances/outputs/glances_restful_api.py:1222-1237 def _api_args(self): try: # Get the RAW value of the args dict # Use vars to convert namespace to dict args_json = vars(self.args) except Exception as e: raise HTTPException(status.HTTP_404_NOT_FOUND, f"Cannot get args ({str(e)})") return GlancesJSONResponse(args_json)

And the item-specific endpoint:

# glances/outputs/glances_restful_api.py:1239-1258 def _api_args_item(self, item: str): ... args_json = vars(self.args)[item] return GlancesJSONResponse(args_json)

The self.args namespace contains sensitive fields set during initialization in glances/main.py:

  1. password (line 806-819): When --password is used, this contains the salt + pbkdf2_hmac hash. An attacker can use this for offline brute-force attacks.

  2. snmp_community (line 445): Default "public", but may be set to a secret community string for SNMP monitoring.

  3. snmp_user (line 448): SNMP v3 username, default "private".

  4. snmp_auth (line 450): SNMP v3 authentication key, default "password" but typically set to a secret value.

  5. conf_file (line 198): Path to the configuration file, reveals filesystem structure.

  6. username (line 430/800): The Glances authentication username.

Both endpoints are registered on the authenticated router (line 504-505):

f'{base_path}/args': self._api_args, f'{base_path}/args/{{item}}': self._api_args_item,

When --password is not set (the default), the router has NO authentication dependency (line 479-480), making these endpoints completely unauthenticated:

if self.args.password: router = APIRouter(prefix=self.url_prefix, dependencies=[Depends(self.authentication)]) else: router = APIRouter(prefix=self.url_prefix)

PoC

Scenario 1: No password configured (default deployment)

# Start Glances in web server mode (default, no password) glances -w # Access all command line arguments without authentication curl -s http://localhost:61208/api/4/args | python -m json.tool # Expected output includes sensitive fields: # "password": "", # "snmp_community": "public", # "snmp_user": "private", # "snmp_auth": "password", # "username": "glances", # "conf_file": "/home/user/.config/glances/glances.conf", # Access specific sensitive argument curl -s http://localhost:61208/api/4/args/snmp_community curl -s http://localhost:61208/api/4/args/snmp_auth

Scenario 2: Password configured (authenticated deployment)

# Start Glances with password authentication glances -w --password --username admin # Authenticate and access args (password hash exposed to authenticated users) curl -s -u admin:mypassword http://localhost:61208/api/4/args/password # Returns the salt$pbkdf2_hmac hash which enables offline brute-force

Impact

  • Unauthenticated network reconnaissance: When Glances runs without --password (the common default for internal/trusted networks), anyone who can reach the web server can enumerate SNMP credentials, usernames, file paths, and all runtime configuration.

  • Offline password cracking: When authentication is enabled, an authenticated user can retrieve the password hash (salt + pbkdf2_hmac) and perform offline brute-force attacks. The hash uses pbkdf2_hmac with SHA-256 and 100,000 iterations (see glances/password.py:45), which provides some protection but is still crackable with modern hardware.

  • Lateral movement: Exposed SNMP community strings and v3 authentication keys can be used to access other network devices monitored by the Glances instance.

  • Supply chain for CORS attack: Combined with the default CORS misconfiguration (finding 001), these secrets can be stolen cross-origin by a malicious website.

Recommended Fix

Apply the same redaction pattern used for the /api/v4/config endpoints:

# glances/outputs/glances_restful_api.py _SENSITIVE_ARGS = frozenset({ 'password', 'snmp_community', 'snmp_user', 'snmp_auth', 'conf_file', 'password_prompt', 'username_used', }) def _api_args(self): try: args_json = vars(self.args).copy() if not self.args.password: for key in _SENSITIVE_ARGS: if key in args_json: args_json[key] = "********" # Never expose the password hash, even to authenticated users if 'password' in args_json and args_json['password']: args_json['password'] = "********" except Exception as e: raise HTTPException(status.HTTP_404_NOT_FOUND, f"Cannot get args ({str(e)})") return GlancesJSONResponse(args_json) def _api_args_item(self, item: str): if item not in self.args: raise HTTPException(status.HTTP_400_BAD_REQUEST, f"Unknown argument item {item}") try: if item in _SENSITIVE_ARGS: if not self.args.password: return GlancesJSONResponse("********") if item == 'password': return GlancesJSONResponse("********") args_json = vars(self.args)[item] except Exception as e: raise HTTPException(status.HTTP_404_NOT_FOUND, f"Cannot get args item ({str(e)})") return GlancesJSONResponse(args_json)

Ссылки

Пакеты

Наименование

Glances

pip
Затронутые версииВерсия исправления

< 4.5.2

4.5.2

EPSS

Процентиль: 35%
0.0015
Низкий

7.5 High

CVSS3

CVE ID

CVE-2026-32609

Дефекты

CWE-200

Связанные уязвимости

ubuntu логотип

CVE-2026-32609

CVSS3: 7.5
ubuntu
11 дней назад

Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the `/api/v4/config` endpoints by introducing `as_dict_secure()` redaction. However, the `/api/v4/args` and `/api/v4/args/{item}` endpoints were not addressed by this fix. These endpoints return the complete command-line arguments namespace via `vars(self.args)`, which includes the password hash (salt + pbkdf2_hmac), SNMP community strings, SNMP authentication keys, and the configuration file path. When Glances runs without `--password` (the default), these endpoints are accessible without any authentication. Version 4.5.2 provides a more complete fix.

nvd логотип

CVE-2026-32609

CVSS3: 7.5
nvd
11 дней назад

Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the `/api/v4/config` endpoints by introducing `as_dict_secure()` redaction. However, the `/api/v4/args` and `/api/v4/args/{item}` endpoints were not addressed by this fix. These endpoints return the complete command-line arguments namespace via `vars(self.args)`, which includes the password hash (salt + pbkdf2_hmac), SNMP community strings, SNMP authentication keys, and the configuration file path. When Glances runs without `--password` (the default), these endpoints are accessible without any authentication. Version 4.5.2 provides a more complete fix.

debian логотип

CVE-2026-32609

CVSS3: 7.5
debian
11 дней назад

Glances is an open-source system cross-platform monitoring tool. The G ...

EPSS

Процентиль: 35%
0.0015
Низкий

7.5 High

CVSS3

CVE ID

CVE-2026-32609

Дефекты

CWE-200