A security vulnerability in United Nations Git directories and credentials was discovered by researchers that could expose over 100,000 private employee records of the United Nations Environmental Programme.
Git directories and credentials allowed the researchers to clone Git repositories and gather a large amount of personally identifiable information (PII) associated with UNEP employees.
The .git directory contents comprised sensitive files, such as WordPress configuration files (wp-config.php) exposing the administrator's database credentials.
The data set obtained by the group exposed the travel history of UN staff, with each row containing: Employee ID, Names, Employee Groups, Travel Justification, Start and End Dates, Approval Status, Destination, and the Length of Stay.
"id": "UNE0717622",
"linkid": "unep",
"type": "Vulnerability",
"date": "01/2021",
"severity": "80",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"