Atlassian has disclosed a high-severity path traversal vulnerability in Jira Software program Information Heart and Server that permits authenticated attackers to arbitrarily write information to any path accessible by the Java Digital Machine (JVM) course of.
This flaw, tracked as CVE-2025-22167 with a CVSS rating of 8.7, impacts variations from 9.12.0 by means of 11.0.1 and was internally found, prompting pressing patch suggestions.
Organizations counting on Jira for mission administration face dangers of knowledge tampering or service disruption if unpatched.
Path Traversal Flaw Uncovered
The vulnerability stems from insufficient enter validation in file dealing with mechanisms, permitting attackers with low privileges, equivalent to authenticated customers, to bypass path restrictions.
By crafting malicious requests, an exploiter can inject traversal sequences like “../” to focus on delicate directories exterior the meant scope, writing arbitrary information wherever the JVM has write permissions.
Launched in main releases 9.12.0 and 10.3.0, it continued into the 11.0 department till fixes in 9.12.28, 10.3.12, and 11.1.0.
Atlassian confirmed no consumer interplay is required, and the assault vector is network-based with low complexity, making it exploitable remotely.
Whereas primarily an arbitrary write concern, it may allow reads if mixed with different flaws, escalating to information exfiltration or code injection.
For companies utilizing Jira in software program growth or IT operations, exploitation may corrupt configuration information, alter mission information, or deploy malware, resulting in operational chaos or compliance breaches.
The excessive integrity and availability impacts imply attackers would possibly delete logs, modify databases, or trigger denial-of-service by overwriting crucial information.
In regulated sectors like finance or healthcare, this might expose mental property or affected person data not directly.
No public exploits exist but, however the ease of entry requiring solely fundamental authentication heightens urgency, particularly for internet-facing situations.
Mitigations
Atlassian urges speedy upgrades to patched variations: 9.12.28 or later for the 9.x sequence, 10.3.12 or increased for 10.x, and 11.1.0 or past for the latest department.
Customers unable to replace totally ought to apply these minimal fixes and monitor launch notes for particulars. As interim measures, limit JVM filesystem permissions, section community entry, and allow anomaly detection for file adjustments.
Backups and audits are important to get well from potential incidents. This inner report underscores Atlassian’s proactive stance, however delayed patching may invite focused assaults in a panorama rife with provide chain threats.
With over 200,000 organizations depending on Jira, swift motion is crucial to safeguard workflows.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
