JIRA exposes corporate data of Google, Yahoo and NASA

06.08.2019

Back to news

NASA, Yahoo, Google, Zendesk, Informatica, 1password, Lenovo, and some government institutions got their data open to public.

Information about employees of well-known organisations was disclosed due to a misconfiguration in JIRA which was reported by Avinash Jain, a Lead Infrastructure Security Engineer at Grofers.

When you set visibility to “Everyone” by default, JIRA makes data available to public – not just to every user in an organisation. When you pick a user it provides you with a name and an email of a person. There is an authorisation misconfiguration in JIRA’s Global Permissions settings.

If a violator has an access to the link, all the information, including roles, projects, and JIRA dashboards details are in front of an attacker.

Some recommendations have followed advising to go to settings, click on the System, opt for General Configuration and remove a tick from “Allow users to share dashboards and filters with the public.”

Settings configurations should be monitored, and a special software assists you with control of changes made in configurations, and evaluates whether settings conform to corporate rules and general regulations.