JIRA exposes corporate data of Google, Yahoo and NASA
06.08.2019Back to news
NASA, Yahoo, Google, Zendesk, Informatica, 1password, Lenovo, and some government institutions got their data open to public.
Information about employees of well-known organisations was disclosed due to a misconfiguration in JIRA which was reported by Avinash Jain, a Lead Infrastructure Security Engineer at Grofers.
When you set visibility to “Everyone” by default, JIRA makes data available to public – not just to every user in an organisation. When you pick a user it provides you with a name and an email of a person. There is an authorisation misconfiguration in JIRA’s Global Permissions settings.
If a violator has an access to the link, all the information, including roles, projects, and JIRA dashboards details are in front of an attacker.
Some recommendations have followed advising to go to settings, click on the System, opt for General Configuration and remove a tick from “Allow users to share dashboards and filters with the public.”