Associated Vulnerability
Title:Atlassian Jira Software Data Center and Server 安全漏洞 (CVE-2025-22167)Description:This High severity Path Traversal (Arbitrary Write) vulnerability was introduced in versions: 9.12.0, 10.3.0 and remain present in 11.0.0 of Jira Software Data Center and Server. This Path Traversal (Arbitrary Write) vulnerability, with a CVSS Score of 8.7, allows an attacker to modify any filesystem path writable by the Jira JVM process. Atlassian recommends that Jira Software Data Center and Server customers upgrade to the latest version; if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Software Data Center and Server 9.12: Upgrade to a release greater than or equal to 9.12.28 Jira Software Data Center and Server 10.3: Upgrade to a release greater than or equal to 10.3.12 Jira Software Data Center and Server 11.0: Upgrade to a release greater than or equal to 11.1.0 See the release notes. You can download the latest version of Jira Software Data Center and Server from the download center. This vulnerability was reported via our Atlassian (Internal) program.
Description
CVE-2025-22167 scanner script
Readme
# README — CVE-2025-22167 (Atlassian Jira)
> **For defensive use only.**
> This README describes CVE-2025-22167 (a high‑severity path‑traversal / arbitrary‑file‑write vulnerability affecting Atlassian Jira). It explains what the issue is, how it happens at a high level, safe detection guidance, mitigation and remediation steps, and recommended monitoring/forensics. Do **NOT** use any exploitation techniques against systems you do not own or do not have explicit written authorization to test.
---
## Summary
- **CVE:** CVE-2025-22167
- **Type:** Path Traversal → Arbitrary File Write
- **Impact:** Allows modification (write) of any filesystem path writable by the Jira JVM process; can lead to data corruption, webshell implantation, or RCE when chained with other issues.
- **Severity:** High — CVSS v3.1 score reported as **8.7**.
- **Affected products / versions:** Jira Software Data Center & Server (introduced in 9.12.0 and 10.3.0; present through 11.0.0 in the reported advisory), and related Jira Service Management Data Center & Server lines per Atlassian bulletin. Check the official Atlassian bulletin for exact fixed version numbers.
---
## How the vulnerability works (high-level)
A component of Jira failed to properly validate or canonicalize input that is used to derive filesystem paths. By supplying specially crafted path-like input that traverses directories (e.g., sequences like `../` or their URL‑encoded equivalents), an attacker can cause the application to write a file to a path outside the intended storage area. Because the write operation runs with the privileges of the Jira JVM process, the attacker can modify any location writable by that process — potentially overwriting configuration, planting a webshell, or otherwise tampering with host files.
---
## Safe detection (Non‑intrusive / recommended)
**Important:** Do *not* perform exploitative writes on production systems. Detection should be non‑intrusive and inference‑based unless you have explicit authorization and are working in an isolated test lab.
1. **Version identification (safe):**
- Query Jira server info endpoints: `/rest/api/2/serverInfo`, `/rest/api/3/serverInfo`, or `/rest/api/latest/serverInfo` — these commonly return `version` in JSON. If the reported version falls into the affected range, treat it as *potentially vulnerable*.
2. **Header / HTML fingerprinting (safe fallback):**
- If serverInfo is inaccessible, attempt to detect version strings in HTTP headers or HTML page titles/body. If no version can be determined, classify target as *unknown* and recommend further manual review.
3. **Log inspection (safe):**
- Look for anomalous HTTP requests with path‑traversal payloads in access logs, and errors/exceptions in application logs that reference file I/O failures or unexpected paths.
4. **Use a non‑exploit scanner:**
- Use the provided safe scanner (or other defensive scanners) that only collects version info and flags potentially affected hosts. Do not include any module that attempts to write files or verify writes.
References describing the vulnerability and detection: Atlassian Security Bulletin and NVD entry.
---
## Immediate mitigation (short term)
If you cannot patch immediately, apply one or more of the following temporary mitigations:
- **Restrict access to Jira** — limit network exposure (place behind VPN, restrict admin interfaces to trusted IPs, or firewall/ACL rules).
- **Use WAF rules** to block path‑traversal patterns (e.g., `../`, `..%2f`, suspicious `..` encodings) at the perimeter. Test rules to avoid blocking legitimate traffic. Example ModSecurity rule (illustrative):
```apache
SecRule REQUEST_URI|ARGS "@rx (\.\./|\.\.%2f|%2e%2e\/)" \
"id:100001,phase:2,deny,status:403,msg:'Possible path traversal attempt',log,logdata:'%{MATCHED_VAR}'"
File Snapshot
[4.0K] /data/pocs/82bd712666dfee7e693aa40a6ffc51acfc4959a4
├── [8.0K] jira_cve2025_22167_scanner.py
└── [3.8K] README.md
1 directory, 2 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →