Unauthenticated Access to JIRA Popular Dashboard

Category: [Info Disclosure]

module name: check_unauthenticated_popular_dashboard

url: /secure/ConfigurePortalPages!default.jspa?view=popular

[CG] You will have to manually review these for interesting content

INFO: Unauthenticated Popular Dashboard
[Testing URL]: http://JIRASERVER/secure/ConfigurePortalPages!default.jspa?view=popular

+ [Info Disclosure] Unauthenticated Popular Dashboard Found [Manually Inspect] 
  URL: http://JIRASERVER/secure/ConfigurePortalPages!default.jspa?view=popular

INFO: Unauthenticated Popular Dashboard
[Testing URL]: https://JIRASERVER/jira/secure/ConfigurePortalPages!default.jspa?view=popular

[-] No Unauthenticated Popular Dashboard vulnerability  | No Shared Popular Dashboards found 

Popular Dashboard

/secure/ConfigurePortalPages!default.jspa?view=popular

---

From: https://hackerone.com/reports/139970

Issue

Issue with NewRelic’s account is a bit similar to http://www.geek.com/games/valve-has-56-people-working-on-half-life-3-1572498/. It’s occurs because of wrong permissions scheme and leads to leak of some sensitive data. Whether the user is logged in or not in JIRA applications he is able to see all shared filters and dashboards. Basically, the instance is externally exposed to non-logged users.

There were detected leaking of such internal information:

employees roles, upcoming milestones, secret project and features through JIRA filters / dashsboards Please use urls below to review this leaks:

https://newrelic.atlassian.net/secure/ConfigurePortalPages!default.jspa?view=popular
https://newrelic.atlassian.net/secure/ManageFilters.jspa?filterView=search&Search=Search&filterView=search&sortColumn=favcount&sortAscending=false

Resolution

Analyze each specific Filter or Dashboard shared with everyone by looking for “Shared with all users”, in the “Manage Filters” and “Manage Dashboards” sections, and grant permissions to specific groups.