Nasa Web App JIRA Flaw Leaked Sensitive Details of Employees and Projects

MongoDB database
  • A misconfiguration flaw in  NASA web app JIRA exposed sensitive information of employees.
  • The flaw allowed anyone on the internet to access the data.
  • The flaw exposed sensitive information such as internal user details, project details, employee names, employees mail id.
  • The issue occurred because of the wrong permissions assigned to them

A misconfiguration issue in NASA web app JIRA has exposed sensitive information of employees and projects.

Jira is an Atlassian project management software used for tracking projects and issues.

The flaw exposed internal sensitive information of Nasa such as internal user details, project details, employee names, employees mail id.

The issue was discovered by security researcher Avinash Jain and said that the issue was due to the wrong permissions assigned to them.

When applying filter admin can set visibility to either Everyone or All users. All users share it with everyone in the organization and Everyone shares them publically, means anyone on the internet can access the data.

The app also has a user picker functionality which gives a complete list of every user’s username and email address.

According to the researcher the leakage was due to the authorization misconfiguration in Jira’s Global Permissions settings. The sensitive information exposed includes :

  • all account’s employees’ names and emails
  • employees’ roles through JIRA groups
  • current projects, upcoming milestones through JIRA dashboards/filters.

This misconfiguration allowed any user to access the complete list of every NASA user’s username and email address.

The Researcher also shared a screenshot which contained user details of 1000 Nasa employees exposed by this misconfiguration flaw.


NASA web app JIRA

The researcher notified the issue to  NASA and US-CERT  on September 3 and issue was found fixed on September 25.

For the latest cyber threats and the latest hacking news please follow us on FacebookLinkedin and Twitter.

You may be interested in reading:Blur Data Breach Potentially Exposed Data of 2.4 Million Users


Comments

Please rate this content