Directory traversal explained: Definition, examples and prevention

Jira is just the most recent company to expose its customers via a path traversal vulnerability. This risk is easily avoidable, but developers keep making the same mistake.

Directory traversal examples

In September, researchers discovered a "critical severity" directory traversal vulnerability in Atlassian's Jira Service Desk Server and Jira Service Desk Data Center that could allow attackers to protected information belonging to the company's customers, says Satnam Narang, senior research engineer at Tenable Network Security. 

"They can see bug reports and other things that are being tracked, like new feature requests," he says. "Sensitive information that they shouldn't access, potential trade secrets, all the issues that organizations handle internally."

Tenable researchers were able to find publicly accessible Jira Service Desk portals with a simple search. Attackers could also use the information they glean from the tickets for social engineering, says Kevin Delaney, director of solutions engineering at Security Compass, a Toronto-based cybersecurity software company. "Someone can call you up and they have your ticket number, your email address -- everything they need to convince you to trust them," he says. "They can get you to give them your passwords or wire them money."

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!