Glances, Information Exposure, CVE-2024-21501 (Medium)

Listen to this Post

The vulnerability stems from the `/api/4/config` REST API endpoint, which returns the entire parsed Glances configuration file (glances.conf) without any filtering of sensitive data. The root cause is located in the `as_dict()` method within config.py, which iterates through every section and key of the configuration parser and returns them all as a flat dictionary . This method lacks any form of sensitive key filtering or redaction. Consequently, when the `_api_config()` function in `glances_restful_api.py` calls `self.config.as_dict()` to generate a JSON response, it exposes all stored credentials, including database passwords, API tokens, and JWT signing keys. The exposure is further exacerbated by an authentication bypass condition: if Glances is started without the `–password` argument, the API router is initialized with no authentication dependencies, making the endpoint openly accessible on the network .

dailycve form:

Platform: Glances
Version: <4.0.5
Vulnerability : Information Exposure
Severity: Medium
date: 2024-02-24

Prediction: 2024-05-24

What Undercode Say:

Analytics:

CVE-2024-21501 affects the Glances system monitoring tool, allowing unauthenticated remote attackers to access the full configuration file, including plaintext credentials for backend services like InfluxDB, MongoDB, and PostgreSQL . The vulnerability has a CVSS v3 base score of 5.3 (Medium), with an attack vector over the network and low complexity . It was publicly disclosed in February 2024, with official patches released in version 4.0.5 by late May 2024 . Fedora and other distributions have since backported the security fix .

Exploit:

The following Bash commands demonstrate the exploitation of this vulnerability by retrieving the entire configuration or specific secrets from a target Glances web server.

1. Start Glances in vulnerable web server mode (without password)
glances -w
2. From an attacker machine, dump the entire configuration
curl http://target:61208/api/4/config
3. Extract specific secrets (e.g., JWT secret key, InfluxDB token)
curl http://target:61208/api/4/config/outputs/jwt_secret_key
curl http://target:61208/api/4/config/influxdb2/token
curl http://target:61208/api/4/config/passwords

Protection:

  • Immediate Patching: Upgrade Glances to version 4.0.5 or later .
  • Authentication: Always start the Glances web server with the `–password` argument to enable authentication on the API router .
  • Network Segmentation: Restrict access to port 61208, allowing only trusted IP addresses to connect to the Glances web interface.
  • Configuration Hardening: Avoid storing highly sensitive credentials in `glances.conf` if they are not strictly necessary for monitoring functions.

Impact:

Successful exploitation leads to full infrastructure compromise . An attacker can retrieve database credentials (InfluxDB, MongoDB, PostgreSQL/TimescaleDB, CouchDB, Cassandra), allowing direct access to all connected backend data stores. Additionally, exposure of JWT signing keys enables token forgery, and SSL key passwords can lead to decryption of secure communications .

References:

  • [bash] Provided details
  • [bash] Tenable Nessus Plugin ID 198288
  • [bash] Tenable Vulnerability Publication Date
  • [bash] Fedora Update FEDORA-2024-af1f06c79c
  • [bash] LinuxSecurity.com Advisory

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top