Kotaemon Path Traversal Vulnerability Allowing Sensitive File Exfiltration

A path traversal vulnerability has been identified in Kotaemon versions prior to 0.10.7. The issue arises in the 'index_fn' method of 'libs/ktem/ktem/index/file/ui.py', where the method accepts both URLs and local file paths without proper validation. This lack of validation allows attackers to traverse directories and access sensitive files, such as the '.env' file. The vulnerability is exploitable by uploading links that the application will process and stream, leading to the unauthorized access of confidential information.

Impact

Exploitation of this vulnerability allows for directory traversal, enabling attackers to access and exfiltrate sensitive files from the server.

Reproduction

To reproduce this vulnerability, upload a link or a file path that includes directory traversal sequences (such as '../../../../../.env') through the application's file upload feature. The 'index_fn' method will process the input without validation, leading to the traversal and access of the specified file.

Remediation

Users can update to Kotaemon version 0.10.7 or later, where this vulnerability has been patched.