CVE-2026-34839
MEDIUM6.5EPSS 0.03%Glances: Cross-Origin Information Disclosure via Unauthenticated REST API (/api/4) due to Permissive CORS
描述
### Summary The Glances web server exposes a REST API (`/api/4/*`) that is accessible without authentication and allows cross-origin requests from any origin due to a permissive CORS policy (`Access-Control-Allow-Origin: *`). This allows a malicious website to read sensitive system information from a running Glances instance in the victim’s browser, leading to cross-origin data exfiltration. While a previous advisory exists for XML-RPC CORS issues, this report demonstrates that the REST API (`/api/4/*`) is also affected and exposes significantly more sensitive data. ### Details When Glances is started in web mode (e.g., `glances -w -B 0.0.0.0`), it exposes a REST API endpoint at: http://<host>:61208/api/4/all The server responds with: Access-Control-Allow-Origin: * This allows any origin to perform cross-origin requests and read responses. The `/api/4/all` endpoint returns extensive system information, including: - Process list (`processlist`) - System details (hostname, OS, CPU info) - Memory and disk usage - Network interfaces and IP address - Running services and metrics Because no authentication is required by default, this data is accessible to any web page. ### PoC 1. Start Glances: glances -w -B 0.0.0.0 2. Create a malicious HTML file: ``` <!DOCTYPE html> <html> <body> <script> fetch("http://<victim-ip>:61208/api/4/all") .then(r => r.json()) .then(data => { console.log("DATA:", data); }); </script> </body> </html> ``` 2. Open the file in a browser while Glances is running. 3. Observe that the browser successfully retrieves sensitive system information from the API. This works cross-origin (e.g., from file:// or attacker-controlled domains). ### Impact A remote attacker can host a malicious website that, when visited by a victim running Glances, can: - Read sensitive system information - Enumerate running processes - Identify network configuration and IP addresses - Fingerprint the host system This requires no authentication and no user interaction beyond visiting a web page. This represents a cross-origin information disclosure vulnerability and can aid further attacks such as reconnaissance or targeted exploitation.
受影響套件(2)
- Debian/glancesfrom 0
- PyPI/glancesfrom 0, < 4.5.4
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-34839
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-34839
- PATCHhttps://github.com/nicolargo/glances
- WEBhttps://github.com/nicolargo/glances/commit/fdfb977b1d91b5e410bc06c4e19f8bedb0005ce9
- WEBhttps://github.com/nicolargo/glances/security/advisories/GHSA-gfc2-9qmw-w7vh