Severity by source
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
6DescriptionGitHub Advisory
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Cassandra export module (glances/exports/glances_cassandra/__init__.py) interpolates keyspace, table, and replication_factor configuration values directly into CQL statements without validation. A user with write access to glances.conf can redirect all monitoring data to an attacker-controlled Cassandra keyspace. Version 4.5.4 contains a fix.
AnalysisAI
Cassandra export module in Glances prior to version 4.5.4 allows local privilege-escalated users to redirect monitoring data to attacker-controlled databases by injecting CQL statements through unvalidated configuration parameters. An authenticated local attacker with write access to the Glances configuration file can modify keyspace, table, and replication_factor settings to execute arbitrary CQL, enabling data exfiltration or denial of service against the monitoring infrastructure. This vulnerability requires elevated local access but carries high confidentiality and integrity impact.
Technical ContextAI
Glances is a system monitoring tool that includes pluggable export modules for sending metrics to various backends. The Cassandra export module (located in glances/exports/glances_cassandra/__init__.py) constructs CQL (Cassandra Query Language) statements by directly concatenating user-supplied configuration values from glances.conf without parameterization or validation. CQL is the query language for Apache Cassandra databases, functionally analogous to SQL in relational databases. The vulnerability is classified as CWE-89 (SQL Injection) - the underlying root cause is improper neutralization of special elements used in a database query. Affected versions prior to 4.5.4 fail to use prepared statements or input validation when building queries with keyspace, table name, and replication_factor parameters, allowing an attacker to break out of the intended query context and inject arbitrary CQL commands.
RemediationAI
Upgrade Glances to version 4.5.4 or later; vendor-released patched version is confirmed. Administrators should immediately update via their package manager (pip install --upgrade glances, or distro package manager equivalent). Until patching is possible, restrict write access to glances.conf file to root or the Glances service account only, using filesystem permissions (chmod 600 or stricter). Disable the Cassandra export module entirely if not in use by removing the [cassandra] section from glances.conf or setting enabled = false. If Cassandra export is required, implement configuration file integrity monitoring (e.g., via auditd or file integrity monitoring tools) to alert on unauthorized modifications. Restrict access to the machine running Glances to trusted administrators only, as this vulnerability inherently requires local administrative privilege. The tradeoff of these controls: disabling the module loses monitoring capability; read-only config files require planned updates to configuration; integrity monitoring adds operational overhead but provides detection capability.
Same weakness CWE-89 – SQL Injection
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23992
GHSA-grp3-h8m8-45p7