{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/glances/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-34839"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Glances"],"_cs_severities":["high"],"_cs_tags":["glances","information-disclosure","cors","webserver"],"_cs_type":"advisory","_cs_vendors":["Glances"],"content_html":"\u003cp\u003eGlances, a system monitoring tool, exposes a REST API (\u003ccode\u003e/api/4/*\u003c/code\u003e) that is accessible without authentication. Prior to version 4.5.4, a permissive Cross-Origin Resource Sharing (CORS) policy (\u003ccode\u003eAccess-Control-Allow-Origin: *\u003c/code\u003e) allows cross-origin requests from any website. An attacker can exploit this vulnerability by hosting a malicious website that, when visited by a user running Glances in web mode (e.g., \u003ccode\u003eglances -w -B 0.0.0.0\u003c/code\u003e), can retrieve sensitive system information via the user's browser. This information includes process lists, system details (hostname, OS, CPU info), memory and disk usage, network interfaces and IP addresses, and running services and metrics. The vulnerability, identified as CVE-2026-34839, allows for unauthenticated remote information disclosure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA victim starts Glances in web mode using the command \u003ccode\u003eglances -w -B 0.0.0.0\u003c/code\u003e, exposing the REST API on port 61208.\u003c/li\u003e\n\u003cli\u003eThe victim visits a malicious website controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe malicious website contains JavaScript code that sends an HTTP GET request to the Glances API endpoint \u003ccode\u003ehttp://\u0026lt;victim-ip\u0026gt;:61208/api/4/all\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the permissive CORS policy (\u003ccode\u003eAccess-Control-Allow-Origin: *\u003c/code\u003e), the Glances server allows the cross-origin request.\u003c/li\u003e\n\u003cli\u003eThe Glances server responds with a JSON payload containing sensitive system information, including process lists, system details, network configuration, and resource usage.\u003c/li\u003e\n\u003cli\u003eThe malicious JavaScript code parses the JSON response and extracts the sensitive information.\u003c/li\u003e\n\u003cli\u003eThe extracted information is logged to the attacker's console or sent to an attacker-controlled server for analysis and further exploitation.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the disclosed information for reconnaissance, identifying potential targets for further attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote, unauthenticated attacker to gather sensitive information about the victim's system. This can lead to a comprehensive system fingerprint, including running processes, network configuration, and internal IP addresses. While the exact number of victims is unknown, any Glances instance running in web mode with a vulnerable version (prior to 4.5.4) is susceptible. This information disclosure can be used for targeted attacks, such as exploiting other vulnerabilities based on the identified software and configurations or performing social engineering attacks based on the disclosed system information.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Glances to version 4.5.4 or later to patch CVE-2026-34839.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring rules to detect unusual outbound connections from browsers to port 61208, indicating potential exploitation attempts. See the \u0026quot;Detect Glances API Access from Browser Process\u0026quot; Sigma rule below.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Glances Web Mode Startup\u0026quot; to identify instances of Glances being run in web mode.\u003c/li\u003e\n\u003cli\u003eReview and restrict network exposure of Glances web interface by modifying the \u003ccode\u003e-B\u003c/code\u003e parameter, avoiding \u003ccode\u003e0.0.0.0\u003c/code\u003e, to limit the scope of the exposed API.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-26-glances-info-disclosure/","summary":"Glances versions before 4.5.4 are vulnerable to cross-origin information disclosure, where a malicious website can retrieve sensitive system information from a running Glances instance due to a permissive CORS policy on the `/api/4/all` endpoint.","title":"Glances Cross-Origin Information Disclosure via Unauthenticated REST API","url":"https://feed.craftedsignal.io/briefs/2024-01-26-glances-info-disclosure/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Glances"],"_cs_severities":["high"],"_cs_tags":["ssrf","credential-leakage","python"],"_cs_type":"advisory","_cs_vendors":["Glances"],"content_html":"\u003cp\u003eA server-side request forgery (SSRF) vulnerability has been identified in the Glances IP plugin, affecting versions prior to 4.5.4. The vulnerability stems from insufficient validation of the \u003ccode\u003epublic_api\u003c/code\u003e configuration parameter. An attacker with the ability to modify the Glances configuration file can exploit this flaw to force the application to make HTTP requests to arbitrary internal or external endpoints. Furthermore, if \u003ccode\u003epublic_username\u003c/code\u003e and \u003ccode\u003epublic_password\u003c/code\u003e are configured, Glances automatically includes these credentials within the \u003ccode\u003eAuthorization: Basic\u003c/code\u003e header of the outbound requests, leading to potential credential leakage to attacker-controlled servers. This issue allows attackers to probe internal network services, retrieve sensitive data from cloud metadata endpoints (e.g., AWS, Azure, GCP), and exfiltrate credentials. The root cause is the direct usage of the \u003ccode\u003epublic_api\u003c/code\u003e value within the \u003ccode\u003eurlopen_auth\u003c/code\u003e function without proper validation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to the Glances configuration file (e.g., through compromised credentials or exposed configuration management).\u003c/li\u003e\n\u003cli\u003eAttacker modifies the \u003ccode\u003eglances.conf\u003c/code\u003e file, setting \u003ccode\u003epublic_api\u003c/code\u003e to a malicious URL, such as \u003ccode\u003ehttp://127.0.0.1:9999/ssrf-poc\u003c/code\u003e or a cloud metadata endpoint (\u003ccode\u003ehttp://169.254.169.254/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker sets \u003ccode\u003epublic_username\u003c/code\u003e and \u003ccode\u003epublic_password\u003c/code\u003e in the \u003ccode\u003eglances.conf\u003c/code\u003e file to capture the Basic Authentication header.\u003c/li\u003e\n\u003cli\u003eThe Glances application, particularly the IP plugin, reads the modified configuration file during startup or refresh.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eThreadPublicIpAddress\u003c/code\u003e class initiates an HTTP request to the attacker-controlled URL using the \u003ccode\u003eurlopen_auth\u003c/code\u003e function in \u003ccode\u003eglances/globals.py\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eurlopen_auth\u003c/code\u003e function sends the request with the \u003ccode\u003eAuthorization: Basic\u003c/code\u003e header containing the configured username and password, to the attacker controlled endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker's server receives the request, captures the leaked credentials from the Authorization header, and potentially uses them for further exploitation.\u003c/li\u003e\n\u003cli\u003eThe Glances API endpoint \u003ccode\u003e/api/4/ip\u003c/code\u003e reflects the attacker-controlled data, potentially injecting arbitrary information into the application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability can have several serious consequences. Attackers can gain unauthorized access to internal network services and sensitive data residing on the local machine or within the internal network. Credential leakage, due to the inclusion of usernames and passwords in the Authorization header, can lead to further compromise of other systems and services. Cloud metadata endpoints can be queried to obtain sensitive credentials for cloud environments (AWS, Azure, GCP). Furthermore, by manipulating the response received from the attacker-controlled server, arbitrary data can be injected into the Glances application, potentially leading to further exploitation or disruption of services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect modifications to the Glances configuration file to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eApply input validation to the \u003ccode\u003epublic_api\u003c/code\u003e configuration parameter within the Glances IP plugin to enforce scheme restrictions (http/https only) and validate the destination host, mitigating SSRF vulnerabilities as detailed in the overview.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of successful SSRF attacks by restricting access to internal resources from the Glances server.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from the Glances server for suspicious outbound traffic to internal or cloud metadata IP ranges.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-glances-ssrf/","summary":"A server-side request forgery (SSRF) vulnerability exists in the Glances IP plugin due to improper validation of the public_api configuration parameter, allowing attackers to force outbound HTTP requests and potentially leak credentials via the Authorization header.","title":"Glances IP Plugin SSRF Vulnerability Leading to Credential Leakage","url":"https://feed.craftedsignal.io/briefs/2024-01-03-glances-ssrf/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Glances"],"_cs_severities":["high"],"_cs_tags":["glances","command-injection","privilege-escalation","cve-2026-33641"],"_cs_type":"advisory","_cs_vendors":["Glances"],"content_html":"\u003cp\u003eGlances, a system monitoring tool, contains a command injection vulnerability in versions 4.5.2 and earlier. The vulnerability stems from the dynamic configuration parsing in \u003ccode\u003eConfig.get_value()\u003c/code\u003e, where substrings enclosed in backticks are interpreted and executed as system commands. This behavior occurs without proper validation or restriction, allowing an attacker to inject arbitrary commands. If an attacker can modify or influence the Glances configuration files, these commands will execute automatically with the privileges of the Glances process. This is particularly concerning in deployments where Glances runs with elevated privileges, such as when it is configured as a system service. The vulnerability is tracked as CVE-2026-33641.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to the Glances configuration file (e.g., through misconfigured file permissions, shared writable directories, or compromised configuration management systems).\u003c/li\u003e\n\u003cli\u003eAttacker modifies the configuration file to include a malicious command within backticks in a configuration value (e.g., \u003ccode\u003eurl_prefix = 'id'\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eGlances is started or the configuration is reloaded.\u003c/li\u003e\n\u003cli\u003eDuring configuration parsing, the \u003ccode\u003eConfig.get_value()\u003c/code\u003e function in \u003ccode\u003eglances/config.py\u003c/code\u003e identifies the backtick-enclosed substring.\u003c/li\u003e\n\u003cli\u003eThe identified command is extracted and passed to the \u003ccode\u003esystem_exec()\u003c/code\u003e function in \u003ccode\u003eglances/globals.py\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003esystem_exec()\u003c/code\u003e executes the command using \u003ccode\u003esubprocess.run()\u003c/code\u003e effectively running the injected code on the host.\u003c/li\u003e\n\u003cli\u003eThe output of the executed command replaces the original configuration value.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary command execution with the privileges of the Glances process, potentially leading to privilege escalation if Glances runs with elevated permissions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the system with the privileges of the Glances process. If Glances is running as root or another privileged user, this can lead to full system compromise and privilege escalation. The vulnerability affects any system where Glances versions 4.5.2 or earlier is installed and the configuration file is modifiable by a malicious actor. Scenarios include misconfigured file permissions allowing unauthorized config modification, shared systems where configuration directories are writable by multiple users, container environments with mounted configuration volumes, and automated configuration management systems that ingest untrusted data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Glances to a version greater than 4.5.2 to patch CVE-2026-33641.\u003c/li\u003e\n\u003cli\u003eImplement strict file permission controls on Glances configuration files to prevent unauthorized modification (reference Attack Chain step 1).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Glances Configuration Command Injection\u003c/code\u003e to detect attempts to exploit this vulnerability by monitoring process creation events after config file modification.\u003c/li\u003e\n\u003cli\u003eMonitor file integrity of Glances configuration files using a file integrity monitoring (FIM) system and alert on unauthorized changes to configuration files (reference Attack Chain step 2).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-glances-command-injection/","summary":"Glances versions 4.5.2 and earlier are vulnerable to command injection via dynamic configuration values, allowing arbitrary command execution with the privileges of the Glances process if an attacker can modify or influence configuration files, potentially leading to privilege escalation.","title":"Glances Command Injection Vulnerability via Dynamic Configuration","url":"https://feed.craftedsignal.io/briefs/2024-01-glances-command-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Glances","version":"https://jsonfeed.org/version/1.1"}