trganda trganda

## Knowage-Server Remote Code Execution Vulnerability
This is a report of the remote code execution vulnerability that I found in [Knowage-Server](https://github.com/KnowageLabs/Knowage-Server).

The vuln was caused by using a unsafe `org.apache.commons.jxpath.JXPathContext`.
The vulnerable code was located in https://github.com/KnowageLabs/Knowage-Server/blob/master/knowagemeta/src/main/java/it/eng/knowage/meta/service/MetaService.java#L229
To reproduce this vulnerability, follow the step below:

1. Clone Knowage-Server-Docker from the official repo [Knowage-Server-Docker](https://github.com/KnowageLabs/Knowage-Server-Docker) and startup it

```bash
git clone https://github.com/KnowageLabs/Knowage-Server-Docker

## gist:2affa7162a03a30a79c3f11ef09436ad
Hi there, before review this report, there is something you should know.
I have reported this vuln to ollama's email hello@ollama.com (pelease refer https://mail.google.com/mail/u/0/?ik=d5b0d8c41d&view=om&permmsgid=msg-f:1802849599934012175) on Jun, 26 2024, but I have found they have fixed this vuln with commit [zip: prevent extracting files into parent dirs](https://github.com/ollama/ollama/commit/123a722a6f541e300bc8e34297ac378ebe23f527) on Jun, 27 2024 and relased a new version v1.0.47. But I have not got a reply from hello@ollam.com.
So I'm not sure where this vuln can be report to synk for public disclosure, if not, you can ignore this repot.

This vulnerability was caused by zip-slip, refer https://github.com/snyk/zip-slip-vulnerability.

In https://github.com/ollama/ollama/blob/v0.1.46/server/model.go#L80C6-L80C22,
The func `parseFromZipFile` will copy the file in zip to temporary directory without verification of the file path, and leading the file can be written to arbitrary path.
Since the user
	This is a report of the remote code execution vulnerability that I found in [Knowage-Server](https://github.com/KnowageLabs/Knowage-Server).

	The vuln was caused by using a unsafe `org.apache.commons.jxpath.JXPathContext`.
	The vulnerable code was located in https://github.com/KnowageLabs/Knowage-Server/blob/master/knowagemeta/src/main/java/it/eng/knowage/meta/service/MetaService.java#L229
	To reproduce this vulnerability, follow the step below:

	1. Clone Knowage-Server-Docker from the official repo [Knowage-Server-Docker](https://github.com/KnowageLabs/Knowage-Server-Docker) and startup it

	```bash
	git clone https://github.com/KnowageLabs/Knowage-Server-Docker
	Hi there, before review this report, there is something you should know.
	I have reported this vuln to ollama's email hello@ollama.com (pelease refer https://mail.google.com/mail/u/0/?ik=d5b0d8c41d&view=om&permmsgid=msg-f:1802849599934012175) on Jun, 26 2024, but I have found they have fixed this vuln with commit [zip: prevent extracting files into parent dirs](https://github.com/ollama/ollama/commit/123a722a6f541e300bc8e34297ac378ebe23f527) on Jun, 27 2024 and relased a new version v1.0.47. But I have not got a reply from hello@ollam.com.
	So I'm not sure where this vuln can be report to synk for public disclosure, if not, you can ignore this repot.

	This vulnerability was caused by zip-slip, refer https://github.com/snyk/zip-slip-vulnerability.

	In https://github.com/ollama/ollama/blob/v0.1.46/server/model.go#L80C6-L80C22,
	The func `parseFromZipFile` will copy the file in zip to temporary directory without verification of the file path, and leading the file can be written to arbitrary path.
	Since the user