- A misconfiguration flaw in NASA web app JIRA exposed sensitive information of employees.
- The flaw allowed anyone on the internet to access the data.
- The flaw exposed sensitive information such as internal user details, project details, employee names, employees mail id.
- The issue occurred because of the wrong permissions assigned to them
A misconfiguration issue in NASA web app JIRA has exposed sensitive information of employees and projects.
Jira is an Atlassian project management software used for tracking projects and issues.
The flaw exposed internal sensitive information of Nasa such as internal user details, project details, employee names, employees mail id.
When applying filter admin can set visibility to either Everyone or All users. All users share it with everyone in the organization and Everyone shares them publically, means anyone on the internet can access the data.
The app also has a user picker functionality which gives a complete list of every user’s username and email address.
According to the researcher the leakage was due to the authorization misconfiguration in Jira’s Global Permissions settings. The sensitive information exposed includes :
- all account’s employees’ names and emails
- employees’ roles through JIRA groups
- current projects, upcoming milestones through JIRA dashboards/filters.
This misconfiguration allowed any user to access the complete list of every NASA user’s username and email address.
The Researcher also shared a screenshot which contained user details of 1000 Nasa employees exposed by this misconfiguration flaw.
The researcher notified the issue to NASA and US-CERT on September 3 and issue was found fixed on September 25.
You may be interested in reading:Blur Data Breach Potentially Exposed Data of 2.4 Million Users