Glances is a cross-platform system monitoring tool that supports a Central Browser mode to aggregate data from multiple downstream Glances servers. Prior to version 4.5.2, the /api/4/serverslist REST API endpoint returns raw server objects obtained from the GlancesServersList.get_servers_list() method. These server objects are mutated during background polling and may include a 'uri' field containing embedded HTTP Basic authentication credentials. These credentials are derived using a reusable pbkdf2-based Glances authentication secret. Critically, if the front-end Glances Browser/API instance is launched without the --password option, which is common in internal network deployments, the /api/4/serverslist endpoint is completely unauthenticated. This allows any network user who can reach the API endpoint to retrieve these server objects and extract the embedded credentials. With these credentials, an attacker can authenticate to downstream Glances servers, potentially gaining unauthorized access to sensitive system monitoring data or control interfaces. The vulnerability arises from improper exposure of sensitive information (CWE-200) and the use of reusable authentication secrets without adequate access control (CWE-522). The issue was fixed in Glances version 4.5.2 by enforcing authentication on the API endpoint and preventing credential leakage. Although no known exploits are reported in the wild, the vulnerability's characteristics make it highly exploitable remotely without authentication or user interaction. The CVSS v3.1 score of 9.1 reflects the critical nature of this information disclosure vulnerability with network attack vector and no privileges required.

The vulnerability allows attackers with network access to the Glances Browser API to retrieve reusable HTTP Basic credentials for downstream Glances servers. This can lead to unauthorized access to system monitoring data, potentially exposing sensitive operational information such as system performance, running processes, and resource usage. Attackers could use this information for reconnaissance or to facilitate further attacks within the network. The exposure of reusable credentials also risks unauthorized control or manipulation of monitored systems if the downstream Glances servers allow command execution or configuration changes. Since the vulnerability requires no authentication and no user interaction, it significantly lowers the attack barrier. Organizations relying on Glances for internal monitoring, especially those deploying it without password protection on the Browser/API instance, face a high risk of internal or lateral network compromise. The impact on confidentiality and integrity is high, while availability is not directly affected. This could lead to data breaches, loss of trust in monitoring infrastructure, and potential escalation of privileges within the network.

1. Upgrade all Glances installations to version 4.5.2 or later, where this vulnerability is fixed. 2. If immediate upgrade is not possible, ensure that the Glances Browser/API instance is always started with the --password option to enforce authentication on the /api/4/serverslist endpoint. 3. Restrict network access to the Glances Browser API interface using firewall rules or network segmentation to limit exposure only to trusted users and systems. 4. Monitor network traffic to detect unauthorized access attempts to the /api/4/serverslist endpoint. 5. Rotate any potentially exposed authentication secrets and downstream server credentials to invalidate leaked credentials. 6. Review and audit downstream Glances server configurations to ensure minimal privileges and secure authentication mechanisms. 7. Educate system administrators about the risks of deploying monitoring tools without authentication, especially in internal networks. 8. Implement network-level authentication or VPN access controls to protect internal monitoring infrastructure.