According to a report by Bleeping Computer, several misconfigured Jira servers have been found leaking information about internal projects and users belonging to Google, NASA, Yahoo, etc.
The popular project management solution Jira, developed by Atlassian for agile teams, is used by Fortune 500 companies to track the progress of various projects and issues.
However, the latest revelation shows that anyone with a good knowledge of advanced search operators can find sensitive information via misconfigured Jira servers.
The leaked data includes names, roles, and email addresses of employees who are involved in various projects of an organization, along with the current state and development of those projects.
Misconfigured Jira servers
The source of the leak is a setting in Jira servers which is used for “controlling the visibility of filters and dashboards for projects.”
Avinash Jain, the security engineer who discovered the leak, found that whenever a new filter and dashboard are created in Jira Cloud, the default visibility is set to “all.”
While the “all” option is interpreted as ‘all within the organization,’ but it actually refers to everyone on the internet.
Visibility problem
There is a provision in Jira Cloud where projects can be set up for anonymous access — meaning it does not require a user to log in.
And a sharing option for filters and dashboards called “Public” comes with a disclaimer:
“If a filter or dashboard is shared with Public, the name of the filter or dashboard will be visible to anonymous users.”
Support the originator by clicking the read the rest link below.
