GHSA-cvwp-r2g2-j824

Summary

The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the /api/v4/config endpoints by introducing as_dict_secure() redaction. However, the /api/v4/args and /api/v4/args/{item} endpoints were not addressed by this fix. These endpoints return the complete command-line arguments namespace via vars(self.args), which includes the password hash (salt + pbkdf2_hmac), SNMP community strings, SNMP authentication keys, and the configuration file path. When Glances runs without --password (the default), these endpoints are accessible without any authentication.

Details

The secrets exposure fix (GHSA-gh4x, commit 5d3de60) modified three config-related endpoints to use as_dict_secure() when no password is configured:

# glances/outputs/glances_restful_api.py:1168 (FIXED)
args_json = self.config.as_dict() if self.args.password else self.config.as_dict_secure()

However, the _api_args and _api_args_item endpoints were not part of this fix and still return all arguments without any sanitization:

# glances/outputs/glances_restful_api.py:1222-1237
def _api_args(self):
    try:
        # Get the RAW value of the args dict
        # Use vars to convert namespace to dict
        args_json = vars(self.args)
    except Exception as e:
        raise HTTPException(status.HTTP_404_NOT_FOUND, f"Cannot get args ({str(e)})")

    return GlancesJSONResponse(args_json)

And the item-specific endpoint:

# glances/outputs/glances_restful_api.py:1239-1258
def _api_args_item(self, item: str):
    ...
    args_json = vars(self.args)[item]
    return GlancesJSONResponse(args_json)

The self.args namespace contains sensitive fields set during initialization in glances/main.py:

1. password (line 806-819): When --password is used, this contains the salt + pbkdf2_hmac hash. An attacker can use this for offline brute-force attacks.

2. snmp_community (line 445): Default "public", but may be set to a secret community string for SNMP monitoring.

3. snmp_user (line 448): SNMP v3 username, default "private".

4. snmp_auth (line 450): SNMP v3 authentication key, default "password" but typically set to a secret value.

5. conf_file (line 198): Path to the configuration file, reveals filesystem structure.

6. username (line 430/800): The Glances authentication username.

Both endpoints are registered on the authenticated router (line 504-505):

f'{base_path}/args': self._api_args,
f'{base_path}/args/{{item}}': self._api_args_item,

When --password is not set (the default), the router has NO authentication dependency (line 479-480), making these endpoints completely unauthenticated:

if self.args.password:
    router = APIRouter(prefix=self.url_prefix, dependencies=[Depends(self.authentication)])
else:
    router = APIRouter(prefix=self.url_prefix)

PoC

Scenario 1: No password configured (default deployment)

# Start Glances in web server mode (default, no password)
glances -w

# Access all command line arguments without authentication
curl -s http://localhost:61208/api/4/args | python -m json.tool

# Expected output includes sensitive fields:
# "password": "",
# "snmp_community": "public",
# "snmp_user": "private",
# "snmp_auth": "password",
# "username": "glances",
# "conf_file": "/home/user/.config/glances/glances.conf",

# Access specific sensitive argument
curl -s http://localhost:61208/api/4/args/snmp_community
curl -s http://localhost:61208/api/4/args/snmp_auth

Scenario 2: Password configured (authenticated deployment)

# Start Glances with password authentication
glances -w --password --username admin

# Authenticate and access args (password hash exposed to authenticated users)
curl -s -u admin:mypassword http://localhost:61208/api/4/args/password
# Returns the salt$pbkdf2_hmac hash which enables offline brute-force

Impact

• Unauthenticated network reconnaissance: When Glances runs without --password (the common default for internal/trusted networks), anyone who can reach the web server can enumerate SNMP credentials, usernames, file paths, and all runtime configuration.

• Offline password cracking: When authentication is enabled, an authenticated user can retrieve the password hash (salt + pbkdf2hmac) and perform offline brute-force attacks. The hash uses pbkdf2hmac with SHA-256 and 100,000 iterations (see glances/password.py:45), which provides some protection but is still crackable with modern hardware.

• Lateral movement: Exposed SNMP community strings and v3 authentication keys can be used to access other network devices monitored by the Glances instance.

• Supply chain for CORS attack: Combined with the default CORS misconfiguration (finding 001), these secrets can be stolen cross-origin by a malicious website.

Recommended Fix

Apply the same redaction pattern used for the /api/v4/config endpoints:

# glances/outputs/glances_restful_api.py

_SENSITIVE_ARGS = frozenset({
    'password', 'snmp_community', 'snmp_user', 'snmp_auth',
    'conf_file', 'password_prompt', 'username_used',
})

def _api_args(self):
    try:
        args_json = vars(self.args).copy()
        if not self.args.password:
            for key in _SENSITIVE_ARGS:
                if key in args_json:
                    args_json[key] = "********"
        # Never expose the password hash, even to authenticated users
        if 'password' in args_json and args_json['password']:
            args_json['password'] = "********"
    except Exception as e:
        raise HTTPException(status.HTTP_404_NOT_FOUND, f"Cannot get args ({str(e)})")
    return GlancesJSONResponse(args_json)

def _api_args_item(self, item: str):
    if item not in self.args:
        raise HTTPException(status.HTTP_400_BAD_REQUEST, f"Unknown argument item {item}")
    try:
        if item in _SENSITIVE_ARGS:
            if not self.args.password:
                return GlancesJSONResponse("********")
            if item == 'password':
                return GlancesJSONResponse("********")
        args_json = vars(self.args)[item]
    except Exception as e:
        raise HTTPException(status.HTTP_404_NOT_FOUND, f"Cannot get args item ({str(e)})")
    return GlancesJSONResponse(args_json)