A security vulnerability in United Nations Git directories and credentials was discovered by researchers that could expose over 100,000 private employee records of the United Nations Environmental Programme.
Git directories and credentials allowed the researchers to clone Git repositories and gather a large amount of personally identifiable information (PII) associated with UNEP employees.
The .git directory contents comprised sensitive files, such as WordPress configuration files (wp-config.php) exposing the administrator's database credentials.
The data set obtained by the group exposed the travel history of UN staff, with each row containing: Employee ID, Names, Employee Groups, Travel Justification, Start and End Dates, Approval Status, Destination, and the Length of Stay.
TPRM report: https://scoringcyber.rankiteo.com/company/unep
"id": "une0717622",
"linkid": "unep",
"type": "Vulnerability",
"date": "01/2021",
"severity": "80",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'industry': 'Environmental',
'name': 'United Nations Environmental Programme',
'type': 'Non-Governmental Organization'}],
'attack_vector': 'Exposed Git Directories',
'data_breach': {'file_types_exposed': ['WordPress configuration files '
'(wp-config.php)'],
'number_of_records_exposed': 'Over 100,000',
'personally_identifiable_information': ['Employee ID',
'Names',
'Employee Groups',
'Travel Justification',
'Start and End Dates',
'Approval Status',
'Destination',
'Length of Stay'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Personally Identifiable '
'Information (PII)'},
'description': 'A security vulnerability in United Nations Git directories '
'and credentials was discovered by researchers that could '
'expose over 100,000 private employee records of the United '
'Nations Environmental Programme. Git directories and '
'credentials allowed the researchers to clone Git repositories '
'and gather a large amount of personally identifiable '
'information (PII) associated with UNEP employees. The .git '
'directory contents comprised sensitive files, such as '
'WordPress configuration files (wp-config.php) exposing the '
"administrator's database credentials. The data set obtained "
'by the group exposed the travel history of UN staff, with '
'each row containing: Employee ID, Names, Employee Groups, '
'Travel Justification, Start and End Dates, Approval Status, '
'Destination, and the Length of Stay.',
'impact': {'data_compromised': ['Employee ID',
'Names',
'Employee Groups',
'Travel Justification',
'Start and End Dates',
'Approval Status',
'Destination',
'Length of Stay']},
'title': 'UNEP Data Exposure Incident',
'type': 'Data Exposure',
'vulnerability_exploited': 'Improper Access Control'}