JeecgBoot Zip Bomb Vulnerability in Document Library Upload Component

A zip bomb vulnerability has been identified in JeecgBoot versions through 3.8.0. This issue resides in the Document Library Upload feature, specifically within the 'unzipFile' function of the 'AiragKnowledgeDocServiceImpl' class. The vulnerability allows for excessive resource consumption by creating a scenario where a relatively small zip file, when extracted, can expand to an enormous size—approximately 281 terabytes—thereby overwhelming system resources and causing service disruption. The vulnerability can be exploited remotely, and the details of this issue have been made public.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, where system resources, particularly disk space, are consumed in such a way that it causes the service to become unavailable.

Reproduction

To reproduce this vulnerability, upload a zip file named 'zblg.zip' through the Document Library Upload interface. This file should be less than 10 megabytes in size but, when unzipped, will extract to around 281 terabytes. The upload can be done via a POST request to '/jeecg-boot/airag/knowledge/doc/import/zip', including the 'knowId' parameter.

Remediation

Users are advised to update to the latest version of JeecgBoot, where this vulnerability has been fixed. For those unable to update, consider implementing file size limits and monitoring for unusual compression rates.