Glances is a widely used open-source cross-platform system monitoring tool that provides real-time information about system resources. Prior to version 4.5.1, its TimescaleDB export module constructs SQL queries by concatenating strings containing system monitoring data without proper sanitization. Specifically, the normalize() method wraps string values in single quotes but fails to escape embedded single quotes within these values. Because system monitoring data can include attacker-controlled inputs such as process names, filesystem mount points, network interface names, or container names, this improper neutralization of special elements leads to a classic SQL injection vulnerability (CWE-89). An attacker able to influence these data fields can inject arbitrary SQL commands, potentially leading to unauthorized data access, data modification, or denial of service. The vulnerability is notable because it requires no authentication or user interaction, making exploitation easier in environments where Glances is deployed with TimescaleDB export enabled. The CVSS 4.0 vector indicates local attack vector (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (VC:H/VI:H/VA:H). Although no known exploits are reported in the wild, the vulnerability is critical enough to warrant immediate patching. The issue is resolved in Glances version 4.5.1 by properly escaping embedded single quotes in SQL queries, preventing injection attacks.

The SQL injection vulnerability in Glances' TimescaleDB export module can have severe consequences for organizations. Exploitation could allow attackers to execute arbitrary SQL commands on the TimescaleDB database, leading to unauthorized disclosure of sensitive monitoring data, alteration or deletion of records, or disruption of monitoring services. This could undermine system visibility, hinder incident response, and potentially serve as a pivot point for further attacks within the network. Since Glances is often deployed in critical infrastructure, cloud environments, and enterprise systems for real-time monitoring, the compromise of its database integrity and availability can impact operational stability and security posture. The lack of required authentication and user interaction increases the risk of exploitation in environments where untrusted data can be injected into monitored system parameters. Organizations relying on Glances for monitoring and analytics must consider the potential for data breaches, loss of monitoring fidelity, and operational downtime if this vulnerability is exploited.

To mitigate this vulnerability, organizations should immediately upgrade Glances to version 4.5.1 or later, where the SQL injection flaw is fixed by proper escaping of special characters in SQL queries. If upgrading is temporarily not feasible, organizations should disable the TimescaleDB export module to prevent exposure. Additionally, implement strict input validation and sanitization on any user-controllable or external data sources feeding into Glances monitoring parameters. Restrict database user privileges associated with Glances to the minimum necessary, avoiding excessive permissions that could amplify damage from SQL injection. Monitor database logs for suspicious queries indicative of injection attempts. Employ network segmentation and access controls to limit exposure of the TimescaleDB instance. Regularly audit and update monitoring tools and dependencies to ensure timely application of security patches. Finally, consider deploying Web Application Firewalls (WAFs) or database activity monitoring solutions that can detect and block SQL injection patterns targeting the monitoring infrastructure.