GHSA-x46r-mf5g-xpr6

Опубликовано: 09 мар. 2026

Источник: github

Github: Прошло ревью

CVSS4: 7.3

Описание

Glances has SQL Injection via Process Names in TimescaleDB Export

Summary

The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded single quotes, making SQL injection trivial via attacker-controlled data such as process names, filesystem mount points, network interface names, or container names.

Root Cause: The normalize() function uses f"'{value}'" for string values without escaping single quotes within the value. The resulting strings are concatenated into INSERT queries via string formatting and executed directly with cur.execute() — no parameterized queries are used.

Affected Code

File: glances/exports/glances_timescaledb/init.py, lines 79-93 (normalize function)

def normalize(self, value): """Normalize the value to be exportable to TimescaleDB.""" if value is None: return 'NULL' if isinstance(value, bool): return str(value).upper() if isinstance(value, (list, tuple)): # Special case for list of one boolean if len(value) == 1 and isinstance(value[0], bool): return str(value[0]).upper() return ', '.join([f"'{v}'" for v in value]) if isinstance(value, str): return f"'{value}'" # <-- NO ESCAPING of single quotes within value return f"{value}"

File: glances/exports/glances_timescaledb/init.py, lines 201-205 (query construction)

# Insert the data insert_list = [f"({','.join(i)})" for i in values_list] insert_query = f"INSERT INTO {plugin} VALUES {','.join(insert_list)};" logger.debug(f"Insert data into table: {insert_query}") try: cur.execute(insert_query) # <-- Direct execution of concatenated SQL

PoC

As a normal user, create a process with the name containing the SQL Injection payload:

exec -a "x'); COPY (SELECT version()) TO '/tmp/sqli_proof.txt' --" python3 -c 'import time; [sum(range(500000)) or time.sleep(0.01) for _ in iter(int, 1)]'

Start Glances with TimescaleDB export as root user:

glances --export timescaledb --export-process-filter ".*" --time 5 --stdout cpu

Observe that sqli_proof.txt is created in /tmp directory.

Impact

Data Destruction: DROP TABLE, DELETE, TRUNCATE operations against the TimescaleDB database.
Data Exfiltration: Using COPY ... TO or subqueries to extract data from other tables.
Potential RCE: Via PostgreSQL extensions like COPY ... PROGRAM which executes OS commands.
Privilege Escalation: Any local user who can create a process with a crafted name can inject SQL into the database, potentially compromising the entire PostgreSQL instance.

Ссылки

Пакеты

Наименование

Glances

pip

Затронутые версииВерсия исправления

< 4.5.1

4.5.1

EPSS

Процентиль: 7%

0.00026

Низкий

7.3 High

CVSS4

CVE ID

CVE-2026-30930

Дефекты

CWE-89

Связанные уязвимости

CVE-2026-30930

CVSS3: 9.8

ubuntu

19 дней назад

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded single quotes, making SQL injection trivial via attacker-controlled data such as process names, filesystem mount points, network interface names, or container names. This vulnerability is fixed in 4.5.1.

CVE-2026-30930

CVSS3: 9.8

nvd

19 дней назад

CVE-2026-30930

CVSS3: 9.8

debian

19 дней назад

Glances is an open-source system cross-platform monitoring tool. Prior ...

EPSS

Процентиль: 7%

0.00026

Низкий

7.3 High

CVSS4

CVE ID

CVE-2026-30930

Дефекты

CWE-89