A misconfiguration vulnerability with JIRA servers leaks internal user and project data of hundreds and thousands of companies which were using JIRA.
The JIRA is an Atlassian task tracking systems used by lots of companies for bug tracking and project management. It is used in over 135,000 companies in 122 countries. It is an intended tool used by IT and business service desks.
Security Engineer Avinash Jain discovered the misconfiguration vulnerability in JIRA servers that lets anyone access the “internal user data, their name, email ids, their project details on which they were working, assignee of those projects and various other information.”
Several companies affected with the vulnerability that includes tech giants such as “as NASA, Google, Yahoo to Go-Jek, HipChat, Zendesk, Sapient, Dubsmash, Western union, Lenovo, 1password, Informatica, etc and many sectors of various government around the world.”
Wrong Permissions in JIRA
The misconfiguration issue is because of the wrong permission assigned while creating the filters and dashboards, while creating new filter or dashboards by default the visibility set to all users and everyone, instead of sharing everyone within the organization.
If the permission set to everyone, then anyone can access the sensitive data by just having the URL and also being indexed by search engines. The leak exposes following sensitive details.
- all account’s employees’ names and emails,
- employees’ roles through JIRA groups,
- current projects, upcoming milestones through JIRA dashboards/filters
By using Google dorks search queries anyone can craft the search queries and pull out the sensitive information from JIRA servers.
“Thousands of companies filters, dashboards and staff data were publically exposed. It occurs because of the wrong permissions scheme set to filters and dashboards hence providing their access even to non-logged in users and hence leading to leaking of sensitive data,” Avinash Jain said.
He reported the leak to the affected companies, some companies fixed the issue and some companies yet to fix the issue.
To change the setting you can edit the current filter and set the visibility based on the project needs.