Misconfig in JIRA for accessing internal information of any company
One of the biggest concerns of any company is ensuring that internal information is kept confidential and only available to specific individuals within and outside of an organisation. In other words by providing security, integrity and availability of their data (among another aspects), companies can sustain competitive advantage regarding their development plans, findings, talent employment etc.
For the companies operating in the IT sphere, it is especially important to properly set up the tools that are being used for operations to avoid chances of sensitive information leaks. One of such tools will be covered in this article — JIRA Software . If it is not configured correctly, it can provide unauthorised access to some internal data of the companies using this tool.
JIRA is used by many companies of various size for progress tracking purposes —creating and assigning tasks, planning work-scope, reporting, providing accesses to employees so they can perform their tasks etc. See screenshot below with JIRA’s backlog UI:
At Flatstack we also usе JIRA in some of our projects in addition to other task tracking tools. Therefore we got concerned as data of our clients is stored within this instrument. The problem had to be addressed immediately.
The significance of the issue has been described in the following article when information about “Half Life 3” game has been publicly exposed:
Because of the wrong permissions scheme the following internal information appeared to be vulnerable:
- all account’s employees’ names and emails,
- employees’ roles through JIRA groups,
- current projects, upcoming milestones through JIRA dashboards / filters.
The screenshots below are taken from real companies. All sensitive information has been blurred.
- By using link of this type anybody can gain unauthorised access to the list of all users, groups of users and emails of people within the account. See example below:
- Using link of this format anybody will be able to view all dashboards within the account:
- Also filters are exposed:
1. Go to JIRA Administration > System > Global Permissions.
2. Check each Permission scheme and remove all permissions set as “Anyone”.
3. Check each specific filter / dashboard shared with everyone by going to JIRA Administration > System > Shared Filters / Shared Dashboards. Look for settings specified as “Shared with the public” or “Shared with all users” (if you are using old version of JIRA server).
NOTE: only the owner of the filter/dashboard will be able to edit the settings of any given filter/dashboard.
4. Go to JIRA > Issues > View all filters for configuring filters. And also go to JIRA > Dashboards > View all dashboards. Click filter/dashboard menu (“…” icon) and select “Edit”. There will be a possibility to remove public access — click on the trash bin next to “Shared with the public” sharing option. Then you’ll be able to specify groups that you’d like to share the filter/dashboard with.
5. And finally, JIRA administrators should disable the ability to share dashboards and filters publicly via global setting “Public sharing”.
This setting is available from JIRA Administration > System > General Configuration > Edit Settings > Options Section.
NOTE: this will not affect existing filters and dashboards. If you change this setting, you will still need to update existing filters/dashboards (see step #4) if they have already been shared with “Everyone”.
With easy steps outlined above the data that is stored in JIRA will be protected from outsiders’ eyes, thus keeping internal information secure.
The issue has been analysed by Kamil Hismatullin. We haven’t been posting this article for some time to ensure that companies with such threats that we have contacted adjusted their configurations.
The recent news that came out — JIRA adjusted their logic regarding some of the mentioned above settings. In the new version of JIRA server the default setting is not “shared with public”, compared to the old version.
Please feel free to post questions or additional remarks that you might have regarding use of JIRA.
Thank you!
If you liked this post or found it helpful please click the 💚 below and be sure to follow Flatstack and myself!
You can check my other articles:
- 7 Ways a Manager Can Increase Development Team’s Efficiency
https://medium.flatstack.com/7-ways-a-manager-can-increase-development-teams-efficiency-dfa45c978a5 - Benefits of Hackathons in the Workplace
https://medium.flatstack.com/benefits-of-hackathons-in-the-workplace-67c289e1d312
