According to a report by Bleeping Computer, several misconfigured Jira servers have been found leaking information about internal projects and users belonging to Google, NASA, Yahoo, etc.
The popular project management solution Jira, developed by Atlassian for agile teams, is used by Fortune 500 companies to track the progress of various projects and issues.
However, the latest revelation shows that anyone with a good knowledge of advanced search operators can find sensitive information via misconfigured Jira servers.
The leaked data includes names, roles, and email addresses of employees who are involved in various projects of an organization, along with the current state and development of those projects.
Misconfigured Jira servers
The source of the leak is a setting in Jira servers which is used for “controlling the visibility of filters and dashboards for projects.”
Avinash Jain, the security engineer who discovered the leak, found that whenever a new filter and dashboard are created in Jira Cloud, the default visibility is set to “all.”
While the “all” option is interpreted as ‘all within the organization,’ but it actually refers to everyone on the internet.
There is a provision in Jira Cloud where projects can be set up for anonymous access — meaning it does not require a user to log in.
And a sharing option for filters and dashboards called “Public” comes with a disclaimer:
“If a filter or dashboard is shared with Public, the name of the filter or dashboard will be visible to anonymous users.”
Adding more to the problem is another setting in the Global Permissions menu where the admin can select “Anyone” option to give access to anonymous users.
For systems that can be accessed from the public internet, this option is not recommended — because Jira has a picker functionality that would let a user with unrestricted access, retrieve a “complete list of usernames and email addresses on the misconfigured exposed servers.”
Identifying a misconfigured Jira server
The researcher was able to identify the misconfigured Jira servers by using specific search operators. He found thousands of companies’ filters, dashboards, and staff data publicly exposed on the servers.
Bleeping Computer was able to find several government domains along with private companies and educational institutions by exploiting the loophole.
Based on the organization and value of the information, this loophole can be used for attack or corporate espionage.