CVE-2021-23418: 
Python vulnerability analysis and mitigation

The vulnerability CVE-2021-23418 affects the Glances package versions before 3.2.1. Glances, a cross-platform curses-based monitoring tool, was found to be vulnerable to XML External Entity (XXE) Injection through the use of Fault to parse untrusted XML data. This vulnerability was disclosed on June 18, 2021, and published on July 29, 2021 (Snyk).

The vulnerability stems from using Fault to parse untrusted XML data, which is known to be vulnerable to XML attacks. The issue was identified in the glances/compat.py file where xmlrpclib was being used without proper security measures. The vulnerability has a CVSS v3.1 base score of 6.3 (medium severity) according to Snyk's assessment, with network attack vector, low attack complexity, and requiring user interaction (Snyk).

If exploited, this XXE vulnerability could lead to the disclosure of local files containing sensitive data such as passwords or private user data. The attacker could potentially access local resources, which might result in reduced performance or interruptions in resource availability. The impact includes potential loss of confidentiality and integrity, with limited control over the extent of data modification (Snyk).

The vulnerability was addressed in Glances version 3.2.1 by implementing the defusedxml.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate XML vulnerabilities. Users should upgrade to Glances version 3.2.1 or higher to resolve this security issue (GitHub Issue, GitHub Commit).