On Exposed Jira Dashboards

While doing my own research recently, I discovered exposed Jira dashboards for several companies. While there is no guarantee that those companies own those dashboards, it is a reasonably safe assumption to make.

Circle K:

https://circlek.atlassian.net/jira/filters?searchName=&Search=Search&filterView=search

Waterstones:
https://waterstones.atlassian.net/jira/filters?searchName=&Search=Search&filterView=search

Brown Thomas also had exposed filters and dashboard names:

Dashboards - JIRA
Filters - JIRA

Tesco Mobile:
https://tescomobile.atlassian.net/jira/dashboards

SanDisk:

Dashboards - JIRA

Teradata:
https://teradata.atlassian.net/jira/dashboards

QLogic:

Dashboards - Qlogic Jira

Westcoast:
https://westcoast.atlassian.net/jira/dashboards

Trane Technologies:
https://tranetechnologies.atlassian.net/jira/dashboards

Kraft Heinz:

Dashboards - Jira

eShopWorld:
https://eshopworld.atlassian.net/jira/dashboards

Since you can't actually click into the projects, this kind of misconfiguration doesn't have a huge impact. However, it does still leak information such as the names of ongoing projects, the filters they have added to Jira, and so on. It is sensitive information. In the above examples, there are instances of employee names being present in the project titles.

Nonetheless, it is fun to find, and you can even view a list of users in some cases. I found most of these dashboards (the latter 10, in fact) on the same night, in about two hours. Some of these companies (Circle K, Teradata, SanDisk for example) are huge names. It's worth noting that most of these dashboards are vulnerable to CVE-2020–14179, which leaks a little bit more information.

My DuckDuckGo XSS has 14 days remaining until I can disclose it, and I'm really looking forward to sharing that.

Monke

Monke

Ireland
I'm a college student studying Computer Science.