Tanishqshah2

Name of the Vulnerable Software and Affected Versions Glances versions prior to 4.5.3 Description Glances is a system cross-platform monitoring tool. The XML-RPC server (activated with glances -s or glances --server) sends Access-Control-Allow-Origin: * on every HTTP response. Because the XML-RPC handler does not validate the Content-Type header, an attacker-controlled webpage can issue a CORS "simple request" (POST with Content-Type: text/plain) containing a valid XML-RPC payload. The browser sends the request without a preflight check, the server processes the XML body and returns the full system monitoring dataset, and the wildcard CORS header lets the attacker's JavaScript read the response. This results in the complete exfiltration of hostname, OS version, IP addresses, CPU/memory/disk/network stats, and the full process list including command lines, which often contain tokens, passwords, or internal paths. The server's XML-RPC handler, located in glances/server.py, does not validate the Content-Type header, allowing the processing of XML payloads within a text/plain body. This is due to the inheritance from SimpleXMLRPCRequestHandler, which parses the POST body as XML regardless of the Content-Type. The lack of authentication in the default configuration (server.isAuth = False) further exacerbates the issue, making every XML-RPC server instance exploitable. Recommendations Update Glances to version 4.5.3 or later.

**Name of the Vulnerable Software and Affected Versions** CTFer.io Monitoring versions prior to 0.2.2 **Description** The CTFer.io Monitoring component, responsible for collecting, processing, and storing signals like logs, metrics, and distributed traces, contains a path traversal flaw in the `sanitizeArchivePath` function within `pkg/extract/extract.go` (lines 248–254). This is due to a missing trailing path separator in the `strings.HasPrefix` check. This allows arbitrary file writes, potentially overwriting shell configurations, SSH keys, kubeconfig files, or crontabs, leading to Remote Code Execution (RCE) and persistent backdoors. The default ReadWriteMany Persistent Volume Claim (PVC) access mode amplifies the attack surface, enabling any pod in the cluster to inject a malicious payload. The `sanitizeArchivePath` function is called during the Cold Extract data dump workflow. The root cause is a directory name prefix collision because the `strings.HasPrefix` check does not append a trailing '/' to the directory prefix. A crafted tar archive can write files outside the intended destination directory when using the `extractor` CLI tool or the `extract.DumpOTelCollector` library function. **Recommendations** Versions prior to 0.2.2 should be updated to version 0.2.2 or later.

**Name of the Vulnerable Software and Affected Versions** Romeo versions prior to 0.2.2 **Description** Romeo, a Go code coverage tool, contains a path traversal flaw in the `sanitizeArchivePath` function located in `webserver/api/v1/decoder.go` (lines 80-88). This is due to a missing trailing path separator in the `strings.HasPrefix` check, allowing a crafted tar archive to write files outside the intended destination directory. The function `sanitizeArchivePath` is called within the `Unzip` function and subsequently by the `Decode` function during the execution of the webserver CLI command `download`. The issue arises because the `strings.HasPrefix` check does not account for a trailing forward slash in the directory prefix, leading to a directory name prefix collision. This allows an attacker to bypass the intended security measures and write files to arbitrary locations. Successful exploitation could lead to arbitrary file write access on the system running the webserver CLI, potentially enabling remote code execution through modifications to shell configuration files, SSH authorized keys, or Kubernetes configuration files. The default `ReadWriteMany` PVC access mode expands the attack surface, as any pod with access to the PVC can inject the malicious payload. **Recommendations** Update to Romeo version 0.2.2 or later.