| 제목 | jeecgboot 3.9.0 Absolute Path Traversal |
|---|
| 설명 | A Restricted Arbitrary File Read vulnerability exists in the Jeecg-boot AI RAG (Retrieval-Augmented Generation) module due to insufficient input validation within the Knowledge Base editing mechanism. Specifically, the endpoint processes user-supplied JSON metadata without properly sanitizing directory traversal sequences (e.g., ../) in the filePath parameter. it fails to canonically validate that the resolved file path resides within the intended upload directory. This oversight allows authenticated attackers to manipulate the file path references, forcing the application to read, parse, and return the content of arbitrary local files residing outside the web root—provided those files match the permitted extensions—thereby leading to unauthorized information disclosure. |
|---|
| 원천 | ⚠️ https://www.yuque.com/la12138/vxbwk9/ezodz20a26g36y8m |
|---|
| 사용자 | Saul1213 (UID 94577) |
|---|
| 제출 | 2026. 01. 26. AM 08:29 (4 개월 ago) |
|---|
| 모더레이션 | 2026. 02. 06. PM 03:30 (11 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 344687 [JeecgBoot 까지 3.9.0 Retrieval-Augmented Generation edit filePath 디렉토리 순회] |
|---|
| 포인트들 | 20 |
|---|