Description
Hermes WebUI before version 0.51.311 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by placing malicious executable Git configuration in a workspace repository's .git/config file. Attackers can exploit Git subprocess invocations in api/workspace_git.py through vectors such as core.fsmonitor during git status, protocol.ext.allow with ext:: remotes during git fetch, credential.helper, core.askPass, core.gitProxy, or inherited environment variables including GIT_SSH_COMMAND to achieve arbitrary command execution on the host running the application.
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
Low
User Interaction
None
Confidentiality (Vulnerable System)
High
Integrity (Vulnerable System)
High
Availability (Vulnerable System)
High
Confidentiality (Subsequent System)
None
Integrity (Subsequent System)
None
Availability (Subsequent System)
None
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected products
- nesquena / hermes-webui0 – 0.51.311
References
- PATCHhttps://github.com/nesquena/hermes-webui/releases/tag/v0.51.311
- PATCHhttps://github.com/nesquena/hermes-webui/pull/3776
- PATCHhttps://github.com/nesquena/hermes-webui/commit/938ac9f55b53def1eefb48c4c42dabaf9c22e99c
- VENDOR_ADVISORYhttps://www.vulncheck.com/advisories/hermes-webui-rce-via-git-configuration-injection