Description
Hermes WebUI before version 0.51.296 contains a workspace boundary bypass vulnerability that allows authenticated attackers to circumvent blocked-root path checks by exploiting an early return in the SSH/remote terminal profile workspace resolution logic within _remote_terminal_workspace_candidate(). Attackers can configure a remote terminal working directory to a system directory such as /etc, causing the workspace resolution path to accept it as a trusted local workspace root before the _is_blocked_workspace_path() guard executes, enabling read access to local system files through workspace file-read helpers.
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
Low
User Interaction
None
Confidentiality (Vulnerable System)
None
Integrity (Vulnerable System)
None
Availability (Vulnerable System)
None
Confidentiality (Subsequent System)
High
Integrity (Subsequent System)
None
Availability (Subsequent System)
None
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
Affected products
- nesquena / hermes-webui0 – 0.51.296
References
- PATCHhttps://github.com/nesquena/hermes-webui/releases/tag/v0.51.296
- PATCHhttps://github.com/nesquena/hermes-webui/pull/3731
- PATCHhttps://github.com/nesquena/hermes-webui/pull/3744
- PATCHhttps://github.com/nesquena/hermes-webui/commit/91a89fb5d5c0bf87932917f9914ad0150ea62fe4
- VENDOR_ADVISORYhttps://www.vulncheck.com/advisories/hermes-webui-workspace-boundary-bypass-via-api-workspace-py