Hermes WebUI Path Traversal Vulnerability in Session Import Endpoint

A path traversal vulnerability has been identified in Hermes WebUI versions prior to 0.51.44 - Release T. This vulnerability allows authenticated attackers to read arbitrary files by importing a crafted session with an unrestricted workspace value. Attackers can exploit this by supplying a blocked filesystem root in the workspace field and using relative paths in the session file API to access any file that is readable by the WebUI process.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the server where WebUI is running.

Reproduction

To reproduce this vulnerability, an authenticated user can import a session file through the session import endpoint. The imported session file should include a workspace value set to a blocked filesystem root, such as the root directory. Once the session is imported, the workspace validation flaw allows the session file API to be used to access files outside the intended directory, such as system files like 'etc/hosts'.

Remediation

Users are advised to update to Hermes WebUI version 0.51.44 or later, where this vulnerability has been addressed.