SB2026042155 - Multiple vulnerabilities in glances

Description

This security bulletin contains information about 2 vulnerabilities.

1) SQL injection (CVE-ID: CVE-2026-30930)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to execute arbitrary SQL commands.

The vulnerability exists due to SQL injection in the TimescaleDB export module when processing unsanitized system monitoring data in SQL queries. A local user can create a process or other monitored resource with a specially crafted name to execute arbitrary SQL commands.

Exploitation is possible through attacker-controlled values such as process names, filesystem mount points, network interface names, or container names.

2) Improper access control (CVE-ID: CVE-2026-30928)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the /api/4/config REST API endpoint when handling requests to retrieve configuration data. A remote attacker can send a request to the endpoint to disclose sensitive information.

The endpoint returns the parsed configuration file without filtering or redacting secrets, exposing credentials such as database passwords, API tokens, JWT signing keys, and SSL key passwords.

Remediation

Install update from vendor's website.

References

• https://github.com/nicolargo/glances/security/advisories/GHSA-x46r-mf5g-xpr6
• https://github.com/nicolargo/glances/security/advisories/GHSA-gh4x-f7cq-wwx6