Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the `/api/v4/config` endpoints by introducing `as_dict_secure()` redaction. However, the `/api/v4/args` and `/api/v4/args/{item}` endpoints were not addressed by this fix.
These endpoints return the complete command-line arguments namespace via `vars(self.args)`, which includes the password hash (salt + pbkdf2_hmac), SNMP community strings, SNMP authentication keys, and the configuration file path. When Glances runs without `--password` (the default), these endpoints are accessible without any authentication. Version 4.5.2 provides a more complete fix.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
None
No data modification
Availability
None
No disruption
CVSS Vector v3.1
Weakness Type (CWE)
Vulnerable Products 1
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Nicolargo Glances
cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*
|
— |
4.5.2
|
References 3
https://github.com/nicolargo/glances/commit/ff14eb9780ee10ec018c754754b1c8c7bfb…
security-advisories@github.com
https://github.com/nicolargo/glances/releases/tag/v4.5.2
security-advisories@github.com
https://github.com/nicolargo/glances/security/advisories/GHSA-cvwp-r2g2-j824
security-advisories@github.com