Directory traversal examples
In September, researchers discovered a “critical severity” directory traversal vulnerability in Atlassian’s Jira Service Desk Server and Jira Service Desk Data Center that could allow attackers to protected information belonging to the company’s customers, says Satnam Narang, senior research engineer at Tenable Network Security.
“They can see bug reports and other things that are being tracked, like new feature requests,” he says. “Sensitive information that they shouldn’t access, potential trade secrets, all the issues that organizations handle internally.”
Tenable researchers were able to find publicly accessible Jira Service Desk portals with a simple search. Attackers could also use the information they glean from the tickets for social engineering, says Kevin Delaney, director of solutions engineering at Security Compass, a Toronto-based cybersecurity software company. “Someone can call you up and they have your ticket number, your email address — everything they need to convince you to trust them,” he says. “They can get you to give them your passwords or wire them money.”