The popular project management software Jira, developed by Atlassian and used by Fortune 500 companies to track the progress of various projects and issues.
The latest revelation, however, shows that anyone has a good knowledge of the advanced search, can access sensitive information through malicious Jira servers.
H data leakage includes the names, positions, and email addresses of employees involved in various projects of an organization, along with the current status and evolution of these projects.
Malicious Jira server
The leak was caused by a setting on Jira servers, which is used to "check the visibility of filters and dashboards."
Avinash Jain, the engineer security who discovered the leak found that whenever a new filter or dashboard was created in Jira Cloud, the default visibility was set to "everyone". While the "everyone" option is interpreted as "everyone in the organization", it actually refers to everyone on the internet.
There is a layout in the Jira Cloud where programs can be created for anonymous access, that is, it does not require a user to log in.
There is a sharing option for filters and dashboards called "Public" that comes with a disclaimer:
"If a filter or dashboard is shared publicly, the name of the filter or dashboard will be visible to anonymous users."
Another problem is another setting in the Global Permissions menu, where the administrator can select the "Any" option to give anonymous users access.
For systems that can be accessed from the public Internet, this option is not recommended - because Jira has a selection feature that will allow an unrestricted user to retrieve a "complete list of usernames and email addresses from their servers. ”
Bleeping Computer discovered the information of several government domains, along with the domain of private companies and educational institutions, using this setting.