A misconfiguration vulnerability with JIRA servers leaks internal user and project data of hundreds and thousands of companies which were using JIRA.
The JIRA is an Atlassian task tracking systems used by lots of companies for bug tracking and project management. It is used in over 135,000 companies in 122 countries. It is an intended tool used by IT and business service desks.
Security Engineer Avinash Jain discovered the misconfiguration vulnerability in JIRA servers that lets anyone access the “internal user data, their name, email ids, their project details on which they were working, assignee of those projects and various other information.”
Several companies affected with the vulnerability that includes tech giants such as “as NASA, Google, Yahoo to Go-Jek, HipChat, Zendesk, Sapient, Dubsmash, Western union, Lenovo, 1password, Informatica, etc and many sectors of various government around the world.”
The misconfiguration issue is because of the wrong permission assigned while creating the filters and dashboards, while creating new filter or dashboards by default the visibility set to all users and everyone, instead of sharing everyone within the organization.
If the permission set to everyone, then anyone can access the sensitive data by just having the URL and also being indexed by search engines. The leak exposes following sensitive details.
By using Google dorks search queries anyone can craft the search queries and pull out the sensitive information from JIRA servers.
“Thousands of companies filters, dashboards and staff data were publically exposed. It occurs because of the wrong permissions scheme set to filters and dashboards hence providing their access even to non-logged in users and hence leading to leaking of sensitive data,” Avinash Jain said.
He reported the leak to the affected companies, some companies fixed the issue and some companies yet to fix the issue.
To change the setting you can edit the current filter and set the visibility based on the project needs.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.
The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…
White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…
Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…
The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…
Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…
WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…