Listen to this Post
The vulnerability stems from the `/api/4/config` REST API endpoint, which returns the entire parsed Glances configuration file (glances.conf) without any filtering of sensitive data. The root cause is located in the `as_dict()` method within config.py, which iterates through every section and key of the configuration parser and returns them all as a flat dictionary . This method lacks any form of sensitive key filtering or redaction. Consequently, when the `_api_config()` function in `glances_restful_api.py` calls `self.config.as_dict()` to generate a JSON response, it exposes all stored credentials, including database passwords, API tokens, and JWT signing keys. The exposure is further exacerbated by an authentication bypass condition: if Glances is started without the `–password` argument, the API router is initialized with no authentication dependencies, making the endpoint openly accessible on the network .
dailycve form:
Platform: Glances
Version: <4.0.5
Vulnerability : Information Exposure
Severity: Medium
date: 2024-02-24
Prediction: 2024-05-24
What Undercode Say:
Analytics:
CVE-2024-21501 affects the Glances system monitoring tool, allowing unauthenticated remote attackers to access the full configuration file, including plaintext credentials for backend services like InfluxDB, MongoDB, and PostgreSQL . The vulnerability has a CVSS v3 base score of 5.3 (Medium), with an attack vector over the network and low complexity . It was publicly disclosed in February 2024, with official patches released in version 4.0.5 by late May 2024 . Fedora and other distributions have since backported the security fix .
Exploit:
The following Bash commands demonstrate the exploitation of this vulnerability by retrieving the entire configuration or specific secrets from a target Glances web server.
1. Start Glances in vulnerable web server mode (without password) glances -w 2. From an attacker machine, dump the entire configuration curl http://target:61208/api/4/config 3. Extract specific secrets (e.g., JWT secret key, InfluxDB token) curl http://target:61208/api/4/config/outputs/jwt_secret_key curl http://target:61208/api/4/config/influxdb2/token curl http://target:61208/api/4/config/passwords
Protection:
- Immediate Patching: Upgrade Glances to version 4.0.5 or later .
- Authentication: Always start the Glances web server with the `–password` argument to enable authentication on the API router .
- Network Segmentation: Restrict access to port 61208, allowing only trusted IP addresses to connect to the Glances web interface.
- Configuration Hardening: Avoid storing highly sensitive credentials in `glances.conf` if they are not strictly necessary for monitoring functions.
Impact:
Successful exploitation leads to full infrastructure compromise . An attacker can retrieve database credentials (InfluxDB, MongoDB, PostgreSQL/TimescaleDB, CouchDB, Cassandra), allowing direct access to all connected backend data stores. Additionally, exposure of JWT signing keys enables token forgery, and SSL key passwords can lead to decryption of secure communications .
References:
- [bash] Provided details
- [bash] Tenable Nessus Plugin ID 198288
- [bash] Tenable Vulnerability Publication Date
- [bash] Fedora Update FEDORA-2024-af1f06c79c
- [bash] LinuxSecurity.com Advisory
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

