Source: glances Version: 4.5.2+dfsg-1 Severity: grave Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for glances. CVE-2026-33533[0]: | Glances is an open-source system cross-platform monitoring tool. | Prior to version 4.5.3, the Glances XML-RPC server (activated with | glances -s or glances --server) sends Access-Control-Allow-Origin: * | on every HTTP response. Because the XML-RPC handler does not | validate the Content-Type header, an attacker-controlled webpage can | issue a CORS "simple request" (POST with Content-Type: text/plain) | containing a valid XML-RPC payload. The browser sends the request | without a preflight check, the server processes the XML body and | returns the full system monitoring dataset, and the wildcard CORS | header lets the attacker's JavaScript read the response. The result | is complete exfiltration of hostname, OS version, IP addresses, | CPU/memory/disk/network stats, and the full process list including | command lines (which often contain tokens, passwords, or internal | paths). This issue has been patched in version 4.5.3. CVE-2026-33641[1]: | Glances is an open-source system cross-platform monitoring tool. | Prior to version 4.5.3, Glances supports dynamic configuration | values in which substrings enclosed in backticks are executed as | system commands during configuration parsing. This behavior occurs | in Config.get_value() and is implemented without validation or | restriction of the executed commands. If an attacker can modify or | influence configuration files, arbitrary commands will execute | automatically with the privileges of the Glances process during | startup or configuration reload. In deployments where Glances runs | with elevated privileges (e.g., as a system service), this may lead | to privilege escalation. This issue has been patched in version | 4.5.3. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-33533 https://www.cve.org/CVERecord?id=CVE-2026-33533 https://github.com/nicolargo/glances/security/advisories/GHSA-7p93-6934-f4q7 [1] https://security-tracker.debian.org/tracker/CVE-2026-33641 https://www.cve.org/CVERecord?id=CVE-2026-33641 https://github.com/nicolargo/glances/security/advisories/GHSA-qhj7-v7h7-q4c7 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
