A misconfiguration issue in NASA web app that uses JIRA server has exposed sensitive information of employees and projects. JIRA is an Atlassian project management software that is used by most companies to track projects and issues.
Type of information exposed
The data exposed due to the flaw included usernames, email addresses and job roles of employees. It also contained the name of current projects and upcoming milestones.
The issue was discovered by a security researcher Avinash Jain who said that the leakage was due to the authorization misconfiguration in JIRA’s Global Permission settings.
“The issue was due to the wrong permissions assigned to them. When the filters or dashboards are set the visibility to 'All users' and 'Everyone' respectively, which instead of sharing with everyone in the organization (which people interpret), it share them publically. There is also a user picker functionality in Jira which gives a complete list of every user’s username and email address. This information disclosure is the result of an authorization misconfiguration in Jira’s Global Permissions settings,” said Jain in a blog post.
Addressing the issue
The misconfiguration allowed anyone to access the complete list of every NASA user’s username and email address. Details of around 1000 NASA employees are believed to have been exposed in the data leak, although the final figure is yet to be revealed.
The researcher had notified the issue to NASA and US-CERT on September 3. However, the organization could patch the leaky JIRA server only on September 25, which indicates that the information was exposed to the public for a period of at least three weeks.