Tanishqshah2

Name of the Vulnerable Software and Affected Versions Glances versões anteriores a 4.5.3 Description Glances é uma ferramenta de monitoramento de sistema cross-platform de código aberto. O servidor XML-RPC (ativado com glances -s ou glances --server) envia Access-Control-Allow-Origin: * em cada resposta HTTP. Como o handler XML-RPC não valida o cabeçalho Content-Type, uma página web controlada por um atacante pode emitir uma requisição CORS "simples" (POST com Content-Type: text/plain) contendo uma carga útil XML-RPC válida. O navegador envia a requisição sem uma verificação de pré-voo, o servidor processa o corpo XML e retorna o conjunto de dados completo de monitoramento do sistema, e o cabeçalho CORS curinga permite que o JavaScript do atacante leia a resposta. Isso resulta na exfiltração completa do nome do host, versão do SO, endereços IP, estatísticas de CPU/memória/disco/rede e a lista completa de processos, incluindo linhas de comando, que frequentemente contêm tokens, senhas ou caminhos internos. O handler XML-RPC do servidor, localizado em glances/server.py, não valida o cabeçalho Content-Type, permitindo o processamento de cargas úteis XML dentro de um corpo text/plain. Isso se deve à herança de SimpleXMLRPCRequestHandler, que analisa o corpo POST como XML independentemente do cabeçalho Content-Type. A falta de autenticação na configuração padrão (server.isAuth = False) agrava ainda mais o problema, tornando cada instância de servidor XML-RPC explorável. Recommendations Atualize o Glances para a versão 4.5.3 ou posterior.

**Name of the Vulnerable Software and Affected Versions** CTFer.io Monitoring versions prior to 0.2.2 **Description** The CTFer.io Monitoring component, responsible for collecting, processing, and storing signals like logs, metrics, and distributed traces, contains a path traversal flaw in the `sanitizeArchivePath` function within `pkg/extract/extract.go` (lines 248–254). This is due to a missing trailing path separator in the `strings.HasPrefix` check. This allows arbitrary file writes, potentially overwriting shell configurations, SSH keys, kubeconfig files, or crontabs, leading to Remote Code Execution (RCE) and persistent backdoors. The default ReadWriteMany Persistent Volume Claim (PVC) access mode amplifies the attack surface, enabling any pod in the cluster to inject a malicious payload. The `sanitizeArchivePath` function is called during the Cold Extract data dump workflow. The root cause is a directory name prefix collision because the `strings.HasPrefix` check does not append a trailing '/' to the directory prefix. A crafted tar archive can write files outside the intended destination directory when using the `extractor` CLI tool or the `extract.DumpOTelCollector` library function. **Recommendations** Versions prior to 0.2.2 should be updated to version 0.2.2 or later.

**Name of the Vulnerable Software and Affected Versions** Romeo versions prior to 0.2.2 **Description** Romeo, a Go code coverage tool, contains a path traversal flaw in the `sanitizeArchivePath` function located in `webserver/api/v1/decoder.go` (lines 80-88). This is due to a missing trailing path separator in the `strings.HasPrefix` check, allowing a crafted tar archive to write files outside the intended destination directory. The function `sanitizeArchivePath` is called within the `Unzip` function and subsequently by the `Decode` function during the execution of the webserver CLI command `download`. The issue arises because the `strings.HasPrefix` check does not account for a trailing forward slash in the directory prefix, leading to a directory name prefix collision. This allows an attacker to bypass the intended security measures and write files to arbitrary locations. Successful exploitation could lead to arbitrary file write access on the system running the webserver CLI, potentially enabling remote code execution through modifications to shell configuration files, SSH authorized keys, or Kubernetes configuration files. The default `ReadWriteMany` PVC access mode expands the attack surface, as any pod with access to the PVC can inject the malicious payload. **Recommendations** Update to Romeo version 0.2.2 or later.