Cinnamon kotaemon ZIP Bomb Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in Cinnamon kotaemon version 0.11.0. The issue arises in the '_may_extract_zip' function within 'libs/ktem/ktem/index/file/ui.py', where the function fails to validate the contents of uploaded ZIP files. This oversight allows for the upload of ZIP bombs, which can cause the server to exhaust resources during decompression. Although the extracted files are temporarily stored in a folder that is cleared before each extraction, a successfully uploaded ZIP bomb can still lead to significant resource consumption. If no additional files are uploaded afterward, the decompressed data could occupy disk space and potentially disrupt system availability. This vulnerability can be exploited by anyone with file-upload permissions.

Impact

Exploitation of this vulnerability causes uncontrolled consumption of CPU and memory resources, leading to a crash of the service or a complete outage of the host system. The vulnerability also causes excessive disk usage, which can disrupt normal system operations.

Reproduction

To reproduce this vulnerability, upload a crafted ZIP file containing a ZIP bomb to the application. The '_may_extract_zip' function will extract the contents without any validation, allowing the ZIP bomb to decompress and consume excessive server resources. This can be done through the application's file upload feature.

Remediation

Users can update to the patched version of Cinnamon kotaemon, which includes validation to prevent ZIP bombs from being successfully uploaded and extracted. The patch replaces the 'extractall' method with streamed extraction, enforces limits on file size and member count, rejects encrypted entries, whitelists file extensions, and ensures proper cleanup in case of errors.