Glances, an open-source cross-platform system monitoring tool, contains a Server-Side Request Forgery vulnerability in its IP plugin prior to version 4.5.4. The vulnerability is due to the public_api configuration parameter being used directly in outbound HTTP requests without validating the URL scheme or hostname/IP. This allows an attacker who can modify the configuration to force Glances to send HTTP requests to arbitrary endpoints, including internal network services or cloud metadata endpoints. Additionally, if public_username and public_password are set, these credentials are included in the Authorization: Basic header, potentially leaking sensitive credentials to attacker-controlled servers. The vulnerability is addressed in version 4.5.4, which includes a patch to validate and restrict the public_api parameter.

Exploitation of this vulnerability allows an attacker with configuration modification capabilities to make Glances send arbitrary HTTP requests to internal or external systems, potentially accessing internal network services or sensitive cloud metadata endpoints. Credential leakage can occur if authentication credentials are configured, as they are sent in outbound requests to attacker-controlled servers. This can lead to unauthorized data disclosure and further compromise of internal resources. No known exploits in the wild have been reported as of the published date.

Upgrade Glances to version 4.5.4 or later, which contains a patch addressing this SSRF vulnerability by validating the public_api configuration parameter. Until upgrading, restrict access to Glances configuration files and interfaces to trusted users only to prevent unauthorized modification. Patch status is not explicitly stated in the vendor advisory, but version 4.5.4 is confirmed to contain the fix.