An unauthenticated information disclosure vulnerability in Glances allows remote attackers to harvest reusable authentication secrets for protected downstream monitoring servers.

The /api/4/serverslist endpoint returns raw server objects that include embedded HTTP Basic credentials in the uri field. In common internal deployments where the Glances Browser is started without the --password flag, this endpoint is completely unauthenticated.

The exposure of reusable credentials allows an attacker to gain unauthorized access to all downstream Glances servers within the infrastructure. With a CVSS score of 9.1, this vulnerability poses a critical risk to organizational security, as it facilitates lateral movement and provides attackers with deep visibility into system performance and configurations across the entire network.

Immediate Action: Update Glances to version 4.5.2 or higher immediately and ensure that all Glances Browser instances are configured with the --password requirement.

Proactive Monitoring: Review API access logs for unauthorized requests to the /api/4/serverslist endpoint and monitor for anomalous login activity on downstream monitoring nodes.

Compensating Controls: Implement network segmentation to ensure the Glances API is only accessible from trusted administrative subnets and use a Web Application Firewall (WAF) to block unauthenticated access to the /api/ path.

Public Exploit Available: false

This vulnerability represents a significant failure in credential handling. It is imperative that organizations update to version 4.5.2 and enforce password authentication on all monitoring interfaces to prevent the mass exposure of infrastructure credentials.