Exposed JIRA server leaks NASA staff and project data!
Here, I’ll be talking about an interesting vulnerability that I have found in NASA Jira (An Atlassian task tracking systems/project management software etc.) or more specifically a misconfiguration issue which caused the leakage of internal sensitive information of NASA including their internal user details, project details, employee names, employees mail id etc. Let’s see what was the exact issue —
One of the biggest concerns of any company is ensuring that internal information is kept confidential and only available to specific individuals within and outside of an organisation. In other words by providing security, integrity and availability of their data (among another aspects), companies can sustain competitive advantage regarding their development plans, findings, talent employment etc.
There are a couple of settings in Jira that, when not configured properly, may disclose information about the application and its users and it can provide unauthorized access to some internal data of the companies to any other user over the internet. This information may aid an attacker in gaining access to the application.
In Jira, while creating filters or dashboards it provides some visibility option to set on them. The issue was due to the wrong permissions assigned to them. When the filters or dashboards are set the visibility to “All users” and “Everyone” respectively, which instead of sharing with everyone of the organization (which people interpret), it share them publically. There is also a user picker functionality in Jira which gives a complete list of every user’s username and email address. This information disclosure is the result of an authorization misconfiguration in Jira’s Global Permissions settings. Because of the wrong permissions scheme, the following internal information appeared to be vulnerable:
- all account’s employees’ names and emails,
- employees’ roles through JIRA groups,
- current projects, upcoming milestones through JIRA dashboards/filters.
NASA User Details Exposed
I found that Jira instance used by NASA had a misconfigured setting where any anonymous user can access the user picker functionality (described as above) and pulls out the complete list of every NASA user’s username and email address.
As can be seen in the above screenshot (first line) there are in total of 1000 NASA internal user details which were getting disclosed by this misconfigured Jira setting.
Manage Filters Revealing Useful Information
While this not as severe as above but it is similar to the browse users issue. NASA Jira instance also had a misconfiguration related to Filters setting which lists the most popular filters used to categorizes issues and tasks within the application. It also lists the username of the person who ‘owns’ each of these filters. This will likely not be a complete list of users like the browse users function, but can glean useful information about how usernames are formatted. Additionally, it can give an attacker an idea of what kind of information may be housed within the application and what projects team is working upon along with showing features of different projects.
And this is how by exploiting Jira misconfiguration issue, I was able to access sensitive information of NASA including their internal user details, project details, employee names, employees mail id etc.
03-Sept-2018 — Bug reported to the SOC NASA team and CERT US team.
25-Sept-2018 — Bug was found to be fixed.
17-Oct-2018 — Received appreciation from CERT team.
09-Nov-2018 — Informed the concerned teams about public disclosure.
Thanks for reading!