Description
Hermes WebUI before version 0.51.303 contains a time-of-check time-of-use (TOCTOU) race condition vulnerability in the git_discard function within api/workspace_git.py that allows attackers to delete files outside the configured workspace boundary by replacing a validated path component with a symlink after validation but before deletion. Attackers can substitute a workspace-controlled path component with a symlink pointing to an external directory between the safe_resolve_ws() validation step and the subsequent Path.unlink() or shutil.rmtree() deletion call, causing the delete operation to follow the symlink and remove arbitrary files outside the workspace.
CVSS breakdown
CVSS 4.0
Attack Vector
Local
Attack Complexity
High
Attack Requirements
None
Privileges Required
Low
User Interaction
Active
Confidentiality (Vulnerable System)
None
Integrity (Vulnerable System)
Low
Availability (Vulnerable System)
High
Confidentiality (Subsequent System)
None
Integrity (Subsequent System)
None
Availability (Subsequent System)
None
CVSS 3.1
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High
Affected products
- nesquena / hermes-webui0 – 0.51.303
References
- PATCHhttps://github.com/nesquena/hermes-webui/releases/tag/v0.51.303
- PATCHhttps://github.com/nesquena/hermes-webui/pull/3702
- PATCHhttps://github.com/nesquena/hermes-webui/pull/3756
- PATCHhttps://github.com/nesquena/hermes-webui/commit/4580f584964d640b95c4ffc9245a21ab926bec73
- VENDOR_ADVISORYhttps://www.vulncheck.com/advisories/hermes-webui-toctou-race-condition-via-git-discard