JeecgBoot Remote Command Execution Vulnerability

A remote code execution vulnerability has been identified in JeecgBoot version 3.9.1. This issue arises in the 'Retrieval-Augmented Generation' component, specifically within the 'importDocumentFromZip' function of the 'AiragKnowledgeController.java' file. The vulnerability is rooted in improper handling of ZIP file uploads, which can be exploited to execute arbitrary commands on the server. The issue was reported by a user, but the project maintainers have not yet addressed it.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where JeecgBoot 3.9.1 is running.

Reproduction

To reproduce this vulnerability, upload a ZIP file containing a specific file name, such as 'calc.exe' and '1.pdf', to the JeecgBoot knowledge base. Ensure that the 'MinerU' parsing option is enabled in the application configuration. Once the ZIP file is uploaded, the application will deserialize the contents and execute any included commands, such as opening the 'calc.exe' file.