Search
Find a vulnerability
Search criteria
26 vulnerabilities found for Jira Align by Atlassian
CVE-2025-22178 (GCVE-0-2025-22178)
Vulnerability from nvd – Published: 2025-10-22 16:30 – Updated: 2025-10-22 17:21
VLAI
EPSS
VEX
Summary
Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view items on the "Why" page.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Improper Authorization
- CWE-862 - Missing Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Jira Align |
Unaffected:
< 11.14.0
Affected: >= 11.14.0 Affected: >= 11.14.1 Affected: >= 11.15.0 Affected: >= 11.15.1 Affected: >= 11.16.0 Unaffected: >= 11.16.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22178",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-22T17:21:18.410947Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T17:21:57.848Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Align",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.1"
},
{
"status": "affected",
"version": "\u003e= 11.15.0"
},
{
"status": "affected",
"version": "\u003e= 11.15.1"
},
{
"status": "affected",
"version": "\u003e= 11.16.0"
},
{
"status": "unaffected",
"version": "\u003e= 11.16.1"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Frank Lycops, NATO Cyber Security Centre"
}
],
"descriptions": [
{
"lang": "en",
"value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view items on the \"Why\" page."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization",
"lang": "en",
"type": "Improper Authorization"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T16:30:04.731Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/JIRAALIGN-8647"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2025-22178",
"datePublished": "2025-10-22T16:30:04.731Z",
"dateReserved": "2025-01-01T00:01:27.178Z",
"dateUpdated": "2025-10-22T17:21:57.848Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22177 (GCVE-0-2025-22177)
Vulnerability from nvd – Published: 2025-10-22 16:30 – Updated: 2025-10-22 18:48
VLAI
EPSS
VEX
Summary
Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view other team overviews.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Improper Authorization
- CWE-285 - Improper Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Jira Align |
Unaffected:
< 11.14.0
Affected: >= 11.14.0 Affected: >= 11.14.1 Affected: >= 11.15.0 Affected: >= 11.15.1 Affected: >= 11.16.0 Unaffected: >= 11.16.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22177",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-22T18:48:37.219728Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T18:48:41.714Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Align",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.1"
},
{
"status": "affected",
"version": "\u003e= 11.15.0"
},
{
"status": "affected",
"version": "\u003e= 11.15.1"
},
{
"status": "affected",
"version": "\u003e= 11.16.0"
},
{
"status": "unaffected",
"version": "\u003e= 11.16.1"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Frank Lycops, NATO Cyber Security Centre"
}
],
"descriptions": [
{
"lang": "en",
"value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view other team overviews."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization",
"lang": "en",
"type": "Improper Authorization"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T16:30:00.632Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/JIRAALIGN-8646"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2025-22177",
"datePublished": "2025-10-22T16:30:00.632Z",
"dateReserved": "2025-01-01T00:01:27.177Z",
"dateUpdated": "2025-10-22T18:48:41.714Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22176 (GCVE-0-2025-22176)
Vulnerability from nvd – Published: 2025-10-22 16:30 – Updated: 2025-10-23 17:40
VLAI
EPSS
VEX
Summary
Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view audit log items.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Improper Authorization
- CWE-285 - Improper Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Jira Align |
Unaffected:
< 11.14.0
Affected: >= 11.14.0 Affected: >= 11.14.1 Affected: >= 11.15.0 Affected: >= 11.15.1 Affected: >= 11.16.0 Unaffected: >= 11.16.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22176",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-23T17:40:44.569011Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-23T17:40:48.512Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Align",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.1"
},
{
"status": "affected",
"version": "\u003e= 11.15.0"
},
{
"status": "affected",
"version": "\u003e= 11.15.1"
},
{
"status": "affected",
"version": "\u003e= 11.16.0"
},
{
"status": "unaffected",
"version": "\u003e= 11.16.1"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Frank Lycops, NATO Cyber Security Centre"
}
],
"descriptions": [
{
"lang": "en",
"value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view audit log items."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization",
"lang": "en",
"type": "Improper Authorization"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T16:30:02.956Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/JIRAALIGN-8645"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2025-22176",
"datePublished": "2025-10-22T16:30:02.956Z",
"dateReserved": "2025-01-01T00:01:27.177Z",
"dateUpdated": "2025-10-23T17:40:48.512Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22175 (GCVE-0-2025-22175)
Vulnerability from nvd – Published: 2025-10-22 16:30 – Updated: 2025-10-27 16:09
VLAI
EPSS
VEX
Summary
Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to modify the steps of another user's private checklist.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Improper Authorization
- CWE-285 - Improper Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Jira Align |
Unaffected:
< 11.14.0
Affected: >= 11.14.0 Affected: >= 11.14.1 Affected: >= 11.15.0 Affected: >= 11.15.1 Affected: >= 11.16.0 Unaffected: >= 11.16.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22175",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-22T18:08:17.435004Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-27T16:09:06.998Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Align",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.1"
},
{
"status": "affected",
"version": "\u003e= 11.15.0"
},
{
"status": "affected",
"version": "\u003e= 11.15.1"
},
{
"status": "affected",
"version": "\u003e= 11.16.0"
},
{
"status": "unaffected",
"version": "\u003e= 11.16.1"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Frank Lycops, NATO Cyber Security Centre"
}
],
"descriptions": [
{
"lang": "en",
"value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to modify the steps of another user\u0027s private checklist."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization",
"lang": "en",
"type": "Improper Authorization"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T16:30:00.592Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/JIRAALIGN-8644"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2025-22175",
"datePublished": "2025-10-22T16:30:00.592Z",
"dateReserved": "2025-01-01T00:01:27.177Z",
"dateUpdated": "2025-10-27T16:09:06.998Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22174 (GCVE-0-2025-22174)
Vulnerability from nvd – Published: 2025-10-22 16:30 – Updated: 2025-10-22 19:39
VLAI
EPSS
VEX
Summary
Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view portfolio rooms without the required permission.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Improper Authorization
- CWE-285 - Improper Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Jira Align |
Unaffected:
< 11.14.0
Affected: >= 11.14.0 Affected: >= 11.14.1 Affected: >= 11.15.0 Affected: >= 11.15.1 Affected: >= 11.16.0 Unaffected: >= 11.16.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22174",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-22T19:39:21.470781Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T19:39:25.240Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Align",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.1"
},
{
"status": "affected",
"version": "\u003e= 11.15.0"
},
{
"status": "affected",
"version": "\u003e= 11.15.1"
},
{
"status": "affected",
"version": "\u003e= 11.16.0"
},
{
"status": "unaffected",
"version": "\u003e= 11.16.1"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Frank Lycops, NATO Cyber Security Centre"
}
],
"descriptions": [
{
"lang": "en",
"value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view portfolio rooms without the required permission."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization",
"lang": "en",
"type": "Improper Authorization"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T16:30:04.050Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/JIRAALIGN-8643"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2025-22174",
"datePublished": "2025-10-22T16:30:04.050Z",
"dateReserved": "2025-01-01T00:01:27.177Z",
"dateUpdated": "2025-10-22T19:39:25.240Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22173 (GCVE-0-2025-22173)
Vulnerability from nvd – Published: 2025-10-22 16:30 – Updated: 2025-10-22 19:12
VLAI
EPSS
VEX
Summary
Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view certain sprint data without the required permission.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Improper Authorization
- CWE-285 - Improper Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Jira Align |
Unaffected:
< 11.14.0
Affected: >= 11.14.0 Affected: >= 11.14.1 Affected: >= 11.15.0 Affected: >= 11.15.1 Affected: >= 11.16.0 Unaffected: >= 11.16.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22173",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-22T19:12:13.342584Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T19:12:18.431Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Align",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.1"
},
{
"status": "affected",
"version": "\u003e= 11.15.0"
},
{
"status": "affected",
"version": "\u003e= 11.15.1"
},
{
"status": "affected",
"version": "\u003e= 11.16.0"
},
{
"status": "unaffected",
"version": "\u003e= 11.16.1"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Frank Lycops, NATO Cyber Security Centre"
}
],
"descriptions": [
{
"lang": "en",
"value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view certain sprint data without the required permission."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization",
"lang": "en",
"type": "Improper Authorization"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T16:30:04.376Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/JIRAALIGN-8642"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2025-22173",
"datePublished": "2025-10-22T16:30:04.376Z",
"dateReserved": "2025-01-01T00:01:27.177Z",
"dateUpdated": "2025-10-22T19:12:18.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22172 (GCVE-0-2025-22172)
Vulnerability from nvd – Published: 2025-10-22 16:30 – Updated: 2025-10-23 17:32
VLAI
EPSS
VEX
Summary
Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to read external reports without the required permission.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Improper Authorization
- CWE-285 - Improper Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Jira Align |
Unaffected:
< 11.14.0
Affected: >= 11.14.0 Affected: >= 11.14.1 Affected: >= 11.15.0 Affected: >= 11.15.1 Affected: >= 11.16.0 Unaffected: >= 11.16.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22172",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-23T17:32:37.765130Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-23T17:32:42.519Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Align",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.1"
},
{
"status": "affected",
"version": "\u003e= 11.15.0"
},
{
"status": "affected",
"version": "\u003e= 11.15.1"
},
{
"status": "affected",
"version": "\u003e= 11.16.0"
},
{
"status": "unaffected",
"version": "\u003e= 11.16.1"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Frank Lycops, NATO Cyber Security Centre"
}
],
"descriptions": [
{
"lang": "en",
"value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to read external reports without the required permission."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization",
"lang": "en",
"type": "Improper Authorization"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T16:30:03.984Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/JIRAALIGN-8641"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2025-22172",
"datePublished": "2025-10-22T16:30:03.984Z",
"dateReserved": "2025-01-01T00:01:27.177Z",
"dateUpdated": "2025-10-23T17:32:42.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22171 (GCVE-0-2025-22171)
Vulnerability from nvd – Published: 2025-10-22 16:30 – Updated: 2025-10-23 18:11
VLAI
EPSS
VEX
Summary
Jira Align is vulnerable to an authorization issue. A low-privilege user is able to alter the private checklists of other users.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Improper Authorization
- CWE-285 - Improper Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Jira Align |
Unaffected:
< 11.14.0
Affected: >= 11.14.0 Affected: >= 11.14.1 Affected: >= 11.15.0 Affected: >= 11.15.1 Affected: >= 11.16.0 Unaffected: >= 11.16.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22171",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-23T18:11:49.143375Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-23T18:11:55.056Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Align",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.1"
},
{
"status": "affected",
"version": "\u003e= 11.15.0"
},
{
"status": "affected",
"version": "\u003e= 11.15.1"
},
{
"status": "affected",
"version": "\u003e= 11.16.0"
},
{
"status": "unaffected",
"version": "\u003e= 11.16.1"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Frank Lycops, NATO Cyber Security Centre"
}
],
"descriptions": [
{
"lang": "en",
"value": "Jira Align is vulnerable to an authorization issue. A low-privilege user is able to alter the private checklists of other users."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization",
"lang": "en",
"type": "Improper Authorization"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T16:30:01.353Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/JIRAALIGN-8640"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2025-22171",
"datePublished": "2025-10-22T16:30:01.353Z",
"dateReserved": "2025-01-01T00:01:27.177Z",
"dateUpdated": "2025-10-23T18:11:55.056Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22170 (GCVE-0-2025-22170)
Vulnerability from nvd – Published: 2025-10-22 16:30 – Updated: 2025-10-22 19:16
VLAI
EPSS
VEX
Summary
Jira Align is vulnerable to an authorization issue. A low-privilege user without sufficient privileges to perform an action could if they included a particular state-related parameter of a user with sufficient privileges to perform the action.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Improper Authorization
- CWE-285 - Improper Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Jira Align |
Unaffected:
< 11.14.0
Affected: >= 11.14.0 Affected: >= 11.14.1 Affected: >= 11.15.0 Affected: >= 11.15.1 Affected: >= 11.16.0 Unaffected: >= 11.16.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22170",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-22T19:16:03.345408Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T19:16:07.138Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Align",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.1"
},
{
"status": "affected",
"version": "\u003e= 11.15.0"
},
{
"status": "affected",
"version": "\u003e= 11.15.1"
},
{
"status": "affected",
"version": "\u003e= 11.16.0"
},
{
"status": "unaffected",
"version": "\u003e= 11.16.1"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Frank Lycops, NATO Cyber Security Centre"
}
],
"descriptions": [
{
"lang": "en",
"value": "Jira Align is vulnerable to an authorization issue. A low-privilege user without sufficient privileges to perform an action could if they included a particular state-related parameter of a user with sufficient privileges to perform the action."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization",
"lang": "en",
"type": "Improper Authorization"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T16:30:04.355Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/JIRAALIGN-8639"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2025-22170",
"datePublished": "2025-10-22T16:30:04.355Z",
"dateReserved": "2025-01-01T00:01:27.177Z",
"dateUpdated": "2025-10-22T19:16:07.138Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22169 (GCVE-0-2025-22169)
Vulnerability from nvd – Published: 2025-10-22 16:30 – Updated: 2025-10-22 17:24
VLAI
EPSS
VEX
Summary
Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to subscribe to an item/object without having the expected permission level.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Improper Authorization
- CWE-285 - Improper Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Jira Align |
Unaffected:
< 11.14.0
Affected: >= 11.14.0 Affected: >= 11.14.1 Affected: >= 11.15.0 Affected: >= 11.15.1 Affected: >= 11.16.0 Unaffected: >= 11.16.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22169",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-22T17:23:53.628155Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T17:24:43.243Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Align",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.1"
},
{
"status": "affected",
"version": "\u003e= 11.15.0"
},
{
"status": "affected",
"version": "\u003e= 11.15.1"
},
{
"status": "affected",
"version": "\u003e= 11.16.0"
},
{
"status": "unaffected",
"version": "\u003e= 11.16.1"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Frank Lycops, NATO Cyber Security Centre"
}
],
"descriptions": [
{
"lang": "en",
"value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to subscribe to an item/object without having the expected permission level."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization",
"lang": "en",
"type": "Improper Authorization"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T16:30:04.452Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/JIRAALIGN-8638"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2025-22169",
"datePublished": "2025-10-22T16:30:04.452Z",
"dateReserved": "2025-01-01T00:01:27.176Z",
"dateUpdated": "2025-10-22T17:24:43.243Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22168 (GCVE-0-2025-22168)
Vulnerability from nvd – Published: 2025-10-22 16:30 – Updated: 2025-10-24 14:45
VLAI
EPSS
VEX
Summary
Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to read the steps of another user's private checklist.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Improper Authorization
- CWE-285 - Improper Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Jira Align |
Unaffected:
< 11.14.0
Affected: >= 11.14.0 Affected: >= 11.14.1 Affected: >= 11.15.0 Affected: >= 11.15.1 Affected: >= 11.16.0 Unaffected: >= 11.16.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22168",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-24T14:45:17.604258Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T14:45:20.537Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Align",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.1"
},
{
"status": "affected",
"version": "\u003e= 11.15.0"
},
{
"status": "affected",
"version": "\u003e= 11.15.1"
},
{
"status": "affected",
"version": "\u003e= 11.16.0"
},
{
"status": "unaffected",
"version": "\u003e= 11.16.1"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Frank Lycops, NATO Cyber Security Centre"
}
],
"descriptions": [
{
"lang": "en",
"value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to read the steps of another user\u0027s private checklist."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization",
"lang": "en",
"type": "Improper Authorization"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T16:30:00.663Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/JIRAALIGN-8637"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2025-22168",
"datePublished": "2025-10-22T16:30:00.663Z",
"dateReserved": "2025-01-01T00:01:27.176Z",
"dateUpdated": "2025-10-24T14:45:20.537Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-36803 (GCVE-0-2022-36803)
Vulnerability from nvd – Published: 2022-10-14 03:45 – Updated: 2024-10-02 14:23
VLAI
EPSS
VEX
Summary
The MasterUserEdit API in Atlassian Jira Align Server before version 10.109.2 allows An authenticated attacker with the People role permission to use the MasterUserEdit API to modify any users role to Super Admin. This vulnerability was reported by Jacob Shafer from Bishop Fox.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- Improper Authorization
- CWE-276 - Incorrect Default Permissions
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Jira Align |
Affected:
unspecified , < 10.109.2
(custom)
|
|
| atlassian | jira_align |
Affected:
0 , < 10.109.2
(custom)
cpe:2.3:a:atlassian:jira_align:*:*:*:*:*:*:*:* |
Date Public
2022-08-15 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:14:28.492Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JIRAALIGN-4281"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:jira_align:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_align",
"vendor": "atlassian",
"versions": [
{
"lessThan": "10.109.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-36803",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T14:14:41.079148Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T14:23:56.022Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Align",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "10.109.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-08-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The MasterUserEdit API in Atlassian Jira Align Server before version 10.109.2 allows An authenticated attacker with the People role permission to use the MasterUserEdit API to modify any users role to Super Admin. This vulnerability was reported by Jacob Shafer from Bishop Fox."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-14T00:00:00.000Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/JIRAALIGN-4281"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2022-36803",
"datePublished": "2022-10-14T03:45:15.477Z",
"dateReserved": "2022-07-26T00:00:00.000Z",
"dateUpdated": "2024-10-02T14:23:56.022Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-36802 (GCVE-0-2022-36802)
Vulnerability from nvd – Published: 2022-10-14 03:45 – Updated: 2024-10-29 15:19
VLAI
EPSS
VEX
Summary
The ManageJiraConnectors API in Atlassian Jira Align before version 10.109.2 allows remote attackers to exploit this issue to access internal network resources via a Server-Side Request Forgery. This can be exploited by a remote, unauthenticated attacker with Super Admin privileges by sending a specially crafted HTTP request.
Severity
4.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Server-Side Request Forgery
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Jira Align |
Affected:
unspecified , < 10.109.2
(custom)
|
Date Public
2022-08-12 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:14:28.397Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JIRAALIGN-4326"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-36802",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T14:14:10.164355Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T15:19:34.058Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Align",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "10.109.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-08-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The ManageJiraConnectors API in Atlassian Jira Align before version 10.109.2 allows remote attackers to exploit this issue to access internal network resources via a Server-Side Request Forgery. This can be exploited by a remote, unauthenticated attacker with Super Admin privileges by sending a specially crafted HTTP request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-14T00:00:00.000Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/JIRAALIGN-4326"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2022-36802",
"datePublished": "2022-10-14T03:45:14.385Z",
"dateReserved": "2022-07-26T00:00:00.000Z",
"dateUpdated": "2024-10-29T15:19:34.058Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22178 (GCVE-0-2025-22178)
Vulnerability from cvelistv5 – Published: 2025-10-22 16:30 – Updated: 2025-10-22 17:21
VLAI
EPSS
VEX
Summary
Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view items on the "Why" page.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Improper Authorization
- CWE-862 - Missing Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Jira Align |
Unaffected:
< 11.14.0
Affected: >= 11.14.0 Affected: >= 11.14.1 Affected: >= 11.15.0 Affected: >= 11.15.1 Affected: >= 11.16.0 Unaffected: >= 11.16.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22178",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-22T17:21:18.410947Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T17:21:57.848Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Align",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.1"
},
{
"status": "affected",
"version": "\u003e= 11.15.0"
},
{
"status": "affected",
"version": "\u003e= 11.15.1"
},
{
"status": "affected",
"version": "\u003e= 11.16.0"
},
{
"status": "unaffected",
"version": "\u003e= 11.16.1"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Frank Lycops, NATO Cyber Security Centre"
}
],
"descriptions": [
{
"lang": "en",
"value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view items on the \"Why\" page."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization",
"lang": "en",
"type": "Improper Authorization"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T16:30:04.731Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/JIRAALIGN-8647"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2025-22178",
"datePublished": "2025-10-22T16:30:04.731Z",
"dateReserved": "2025-01-01T00:01:27.178Z",
"dateUpdated": "2025-10-22T17:21:57.848Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22169 (GCVE-0-2025-22169)
Vulnerability from cvelistv5 – Published: 2025-10-22 16:30 – Updated: 2025-10-22 17:24
VLAI
EPSS
VEX
Summary
Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to subscribe to an item/object without having the expected permission level.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Improper Authorization
- CWE-285 - Improper Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Jira Align |
Unaffected:
< 11.14.0
Affected: >= 11.14.0 Affected: >= 11.14.1 Affected: >= 11.15.0 Affected: >= 11.15.1 Affected: >= 11.16.0 Unaffected: >= 11.16.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22169",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-22T17:23:53.628155Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T17:24:43.243Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Align",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.1"
},
{
"status": "affected",
"version": "\u003e= 11.15.0"
},
{
"status": "affected",
"version": "\u003e= 11.15.1"
},
{
"status": "affected",
"version": "\u003e= 11.16.0"
},
{
"status": "unaffected",
"version": "\u003e= 11.16.1"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Frank Lycops, NATO Cyber Security Centre"
}
],
"descriptions": [
{
"lang": "en",
"value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to subscribe to an item/object without having the expected permission level."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization",
"lang": "en",
"type": "Improper Authorization"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T16:30:04.452Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/JIRAALIGN-8638"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2025-22169",
"datePublished": "2025-10-22T16:30:04.452Z",
"dateReserved": "2025-01-01T00:01:27.176Z",
"dateUpdated": "2025-10-22T17:24:43.243Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22173 (GCVE-0-2025-22173)
Vulnerability from cvelistv5 – Published: 2025-10-22 16:30 – Updated: 2025-10-22 19:12
VLAI
EPSS
VEX
Summary
Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view certain sprint data without the required permission.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Improper Authorization
- CWE-285 - Improper Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Jira Align |
Unaffected:
< 11.14.0
Affected: >= 11.14.0 Affected: >= 11.14.1 Affected: >= 11.15.0 Affected: >= 11.15.1 Affected: >= 11.16.0 Unaffected: >= 11.16.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22173",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-22T19:12:13.342584Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T19:12:18.431Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Align",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.1"
},
{
"status": "affected",
"version": "\u003e= 11.15.0"
},
{
"status": "affected",
"version": "\u003e= 11.15.1"
},
{
"status": "affected",
"version": "\u003e= 11.16.0"
},
{
"status": "unaffected",
"version": "\u003e= 11.16.1"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Frank Lycops, NATO Cyber Security Centre"
}
],
"descriptions": [
{
"lang": "en",
"value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view certain sprint data without the required permission."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization",
"lang": "en",
"type": "Improper Authorization"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T16:30:04.376Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/JIRAALIGN-8642"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2025-22173",
"datePublished": "2025-10-22T16:30:04.376Z",
"dateReserved": "2025-01-01T00:01:27.177Z",
"dateUpdated": "2025-10-22T19:12:18.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22170 (GCVE-0-2025-22170)
Vulnerability from cvelistv5 – Published: 2025-10-22 16:30 – Updated: 2025-10-22 19:16
VLAI
EPSS
VEX
Summary
Jira Align is vulnerable to an authorization issue. A low-privilege user without sufficient privileges to perform an action could if they included a particular state-related parameter of a user with sufficient privileges to perform the action.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Improper Authorization
- CWE-285 - Improper Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Jira Align |
Unaffected:
< 11.14.0
Affected: >= 11.14.0 Affected: >= 11.14.1 Affected: >= 11.15.0 Affected: >= 11.15.1 Affected: >= 11.16.0 Unaffected: >= 11.16.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22170",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-22T19:16:03.345408Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T19:16:07.138Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Align",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.1"
},
{
"status": "affected",
"version": "\u003e= 11.15.0"
},
{
"status": "affected",
"version": "\u003e= 11.15.1"
},
{
"status": "affected",
"version": "\u003e= 11.16.0"
},
{
"status": "unaffected",
"version": "\u003e= 11.16.1"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Frank Lycops, NATO Cyber Security Centre"
}
],
"descriptions": [
{
"lang": "en",
"value": "Jira Align is vulnerable to an authorization issue. A low-privilege user without sufficient privileges to perform an action could if they included a particular state-related parameter of a user with sufficient privileges to perform the action."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization",
"lang": "en",
"type": "Improper Authorization"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T16:30:04.355Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/JIRAALIGN-8639"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2025-22170",
"datePublished": "2025-10-22T16:30:04.355Z",
"dateReserved": "2025-01-01T00:01:27.177Z",
"dateUpdated": "2025-10-22T19:16:07.138Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22174 (GCVE-0-2025-22174)
Vulnerability from cvelistv5 – Published: 2025-10-22 16:30 – Updated: 2025-10-22 19:39
VLAI
EPSS
VEX
Summary
Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view portfolio rooms without the required permission.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Improper Authorization
- CWE-285 - Improper Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Jira Align |
Unaffected:
< 11.14.0
Affected: >= 11.14.0 Affected: >= 11.14.1 Affected: >= 11.15.0 Affected: >= 11.15.1 Affected: >= 11.16.0 Unaffected: >= 11.16.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22174",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-22T19:39:21.470781Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T19:39:25.240Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Align",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.1"
},
{
"status": "affected",
"version": "\u003e= 11.15.0"
},
{
"status": "affected",
"version": "\u003e= 11.15.1"
},
{
"status": "affected",
"version": "\u003e= 11.16.0"
},
{
"status": "unaffected",
"version": "\u003e= 11.16.1"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Frank Lycops, NATO Cyber Security Centre"
}
],
"descriptions": [
{
"lang": "en",
"value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view portfolio rooms without the required permission."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization",
"lang": "en",
"type": "Improper Authorization"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T16:30:04.050Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/JIRAALIGN-8643"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2025-22174",
"datePublished": "2025-10-22T16:30:04.050Z",
"dateReserved": "2025-01-01T00:01:27.177Z",
"dateUpdated": "2025-10-22T19:39:25.240Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22172 (GCVE-0-2025-22172)
Vulnerability from cvelistv5 – Published: 2025-10-22 16:30 – Updated: 2025-10-23 17:32
VLAI
EPSS
VEX
Summary
Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to read external reports without the required permission.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Improper Authorization
- CWE-285 - Improper Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Jira Align |
Unaffected:
< 11.14.0
Affected: >= 11.14.0 Affected: >= 11.14.1 Affected: >= 11.15.0 Affected: >= 11.15.1 Affected: >= 11.16.0 Unaffected: >= 11.16.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22172",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-23T17:32:37.765130Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-23T17:32:42.519Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Align",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.1"
},
{
"status": "affected",
"version": "\u003e= 11.15.0"
},
{
"status": "affected",
"version": "\u003e= 11.15.1"
},
{
"status": "affected",
"version": "\u003e= 11.16.0"
},
{
"status": "unaffected",
"version": "\u003e= 11.16.1"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Frank Lycops, NATO Cyber Security Centre"
}
],
"descriptions": [
{
"lang": "en",
"value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to read external reports without the required permission."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization",
"lang": "en",
"type": "Improper Authorization"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T16:30:03.984Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/JIRAALIGN-8641"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2025-22172",
"datePublished": "2025-10-22T16:30:03.984Z",
"dateReserved": "2025-01-01T00:01:27.177Z",
"dateUpdated": "2025-10-23T17:32:42.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22176 (GCVE-0-2025-22176)
Vulnerability from cvelistv5 – Published: 2025-10-22 16:30 – Updated: 2025-10-23 17:40
VLAI
EPSS
VEX
Summary
Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view audit log items.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Improper Authorization
- CWE-285 - Improper Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Jira Align |
Unaffected:
< 11.14.0
Affected: >= 11.14.0 Affected: >= 11.14.1 Affected: >= 11.15.0 Affected: >= 11.15.1 Affected: >= 11.16.0 Unaffected: >= 11.16.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22176",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-23T17:40:44.569011Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-23T17:40:48.512Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Align",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.1"
},
{
"status": "affected",
"version": "\u003e= 11.15.0"
},
{
"status": "affected",
"version": "\u003e= 11.15.1"
},
{
"status": "affected",
"version": "\u003e= 11.16.0"
},
{
"status": "unaffected",
"version": "\u003e= 11.16.1"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Frank Lycops, NATO Cyber Security Centre"
}
],
"descriptions": [
{
"lang": "en",
"value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view audit log items."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization",
"lang": "en",
"type": "Improper Authorization"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T16:30:02.956Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/JIRAALIGN-8645"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2025-22176",
"datePublished": "2025-10-22T16:30:02.956Z",
"dateReserved": "2025-01-01T00:01:27.177Z",
"dateUpdated": "2025-10-23T17:40:48.512Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22171 (GCVE-0-2025-22171)
Vulnerability from cvelistv5 – Published: 2025-10-22 16:30 – Updated: 2025-10-23 18:11
VLAI
EPSS
VEX
Summary
Jira Align is vulnerable to an authorization issue. A low-privilege user is able to alter the private checklists of other users.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Improper Authorization
- CWE-285 - Improper Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Jira Align |
Unaffected:
< 11.14.0
Affected: >= 11.14.0 Affected: >= 11.14.1 Affected: >= 11.15.0 Affected: >= 11.15.1 Affected: >= 11.16.0 Unaffected: >= 11.16.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22171",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-23T18:11:49.143375Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-23T18:11:55.056Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Align",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.1"
},
{
"status": "affected",
"version": "\u003e= 11.15.0"
},
{
"status": "affected",
"version": "\u003e= 11.15.1"
},
{
"status": "affected",
"version": "\u003e= 11.16.0"
},
{
"status": "unaffected",
"version": "\u003e= 11.16.1"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Frank Lycops, NATO Cyber Security Centre"
}
],
"descriptions": [
{
"lang": "en",
"value": "Jira Align is vulnerable to an authorization issue. A low-privilege user is able to alter the private checklists of other users."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization",
"lang": "en",
"type": "Improper Authorization"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T16:30:01.353Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/JIRAALIGN-8640"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2025-22171",
"datePublished": "2025-10-22T16:30:01.353Z",
"dateReserved": "2025-01-01T00:01:27.177Z",
"dateUpdated": "2025-10-23T18:11:55.056Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22168 (GCVE-0-2025-22168)
Vulnerability from cvelistv5 – Published: 2025-10-22 16:30 – Updated: 2025-10-24 14:45
VLAI
EPSS
VEX
Summary
Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to read the steps of another user's private checklist.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Improper Authorization
- CWE-285 - Improper Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Jira Align |
Unaffected:
< 11.14.0
Affected: >= 11.14.0 Affected: >= 11.14.1 Affected: >= 11.15.0 Affected: >= 11.15.1 Affected: >= 11.16.0 Unaffected: >= 11.16.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22168",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-24T14:45:17.604258Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T14:45:20.537Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Align",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.1"
},
{
"status": "affected",
"version": "\u003e= 11.15.0"
},
{
"status": "affected",
"version": "\u003e= 11.15.1"
},
{
"status": "affected",
"version": "\u003e= 11.16.0"
},
{
"status": "unaffected",
"version": "\u003e= 11.16.1"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Frank Lycops, NATO Cyber Security Centre"
}
],
"descriptions": [
{
"lang": "en",
"value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to read the steps of another user\u0027s private checklist."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization",
"lang": "en",
"type": "Improper Authorization"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T16:30:00.663Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/JIRAALIGN-8637"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2025-22168",
"datePublished": "2025-10-22T16:30:00.663Z",
"dateReserved": "2025-01-01T00:01:27.176Z",
"dateUpdated": "2025-10-24T14:45:20.537Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22177 (GCVE-0-2025-22177)
Vulnerability from cvelistv5 – Published: 2025-10-22 16:30 – Updated: 2025-10-22 18:48
VLAI
EPSS
VEX
Summary
Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view other team overviews.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Improper Authorization
- CWE-285 - Improper Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Jira Align |
Unaffected:
< 11.14.0
Affected: >= 11.14.0 Affected: >= 11.14.1 Affected: >= 11.15.0 Affected: >= 11.15.1 Affected: >= 11.16.0 Unaffected: >= 11.16.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22177",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-22T18:48:37.219728Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T18:48:41.714Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Align",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.1"
},
{
"status": "affected",
"version": "\u003e= 11.15.0"
},
{
"status": "affected",
"version": "\u003e= 11.15.1"
},
{
"status": "affected",
"version": "\u003e= 11.16.0"
},
{
"status": "unaffected",
"version": "\u003e= 11.16.1"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Frank Lycops, NATO Cyber Security Centre"
}
],
"descriptions": [
{
"lang": "en",
"value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view other team overviews."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization",
"lang": "en",
"type": "Improper Authorization"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T16:30:00.632Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/JIRAALIGN-8646"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2025-22177",
"datePublished": "2025-10-22T16:30:00.632Z",
"dateReserved": "2025-01-01T00:01:27.177Z",
"dateUpdated": "2025-10-22T18:48:41.714Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22175 (GCVE-0-2025-22175)
Vulnerability from cvelistv5 – Published: 2025-10-22 16:30 – Updated: 2025-10-27 16:09
VLAI
EPSS
VEX
Summary
Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to modify the steps of another user's private checklist.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Improper Authorization
- CWE-285 - Improper Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Jira Align |
Unaffected:
< 11.14.0
Affected: >= 11.14.0 Affected: >= 11.14.1 Affected: >= 11.15.0 Affected: >= 11.15.1 Affected: >= 11.16.0 Unaffected: >= 11.16.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22175",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-22T18:08:17.435004Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-27T16:09:06.998Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Align",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.0"
},
{
"status": "affected",
"version": "\u003e= 11.14.1"
},
{
"status": "affected",
"version": "\u003e= 11.15.0"
},
{
"status": "affected",
"version": "\u003e= 11.15.1"
},
{
"status": "affected",
"version": "\u003e= 11.16.0"
},
{
"status": "unaffected",
"version": "\u003e= 11.16.1"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Frank Lycops, NATO Cyber Security Centre"
}
],
"descriptions": [
{
"lang": "en",
"value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to modify the steps of another user\u0027s private checklist."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization",
"lang": "en",
"type": "Improper Authorization"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T16:30:00.592Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/JIRAALIGN-8644"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2025-22175",
"datePublished": "2025-10-22T16:30:00.592Z",
"dateReserved": "2025-01-01T00:01:27.177Z",
"dateUpdated": "2025-10-27T16:09:06.998Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-36803 (GCVE-0-2022-36803)
Vulnerability from cvelistv5 – Published: 2022-10-14 03:45 – Updated: 2024-10-02 14:23
VLAI
EPSS
VEX
Summary
The MasterUserEdit API in Atlassian Jira Align Server before version 10.109.2 allows An authenticated attacker with the People role permission to use the MasterUserEdit API to modify any users role to Super Admin. This vulnerability was reported by Jacob Shafer from Bishop Fox.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- Improper Authorization
- CWE-276 - Incorrect Default Permissions
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Jira Align |
Affected:
unspecified , < 10.109.2
(custom)
|
|
| atlassian | jira_align |
Affected:
0 , < 10.109.2
(custom)
cpe:2.3:a:atlassian:jira_align:*:*:*:*:*:*:*:* |
Date Public
2022-08-15 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:14:28.492Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JIRAALIGN-4281"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:jira_align:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_align",
"vendor": "atlassian",
"versions": [
{
"lessThan": "10.109.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-36803",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T14:14:41.079148Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T14:23:56.022Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Align",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "10.109.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-08-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The MasterUserEdit API in Atlassian Jira Align Server before version 10.109.2 allows An authenticated attacker with the People role permission to use the MasterUserEdit API to modify any users role to Super Admin. This vulnerability was reported by Jacob Shafer from Bishop Fox."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-14T00:00:00.000Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/JIRAALIGN-4281"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2022-36803",
"datePublished": "2022-10-14T03:45:15.477Z",
"dateReserved": "2022-07-26T00:00:00.000Z",
"dateUpdated": "2024-10-02T14:23:56.022Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-36802 (GCVE-0-2022-36802)
Vulnerability from cvelistv5 – Published: 2022-10-14 03:45 – Updated: 2024-10-29 15:19
VLAI
EPSS
VEX
Summary
The ManageJiraConnectors API in Atlassian Jira Align before version 10.109.2 allows remote attackers to exploit this issue to access internal network resources via a Server-Side Request Forgery. This can be exploited by a remote, unauthenticated attacker with Super Admin privileges by sending a specially crafted HTTP request.
Severity
4.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Server-Side Request Forgery
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Jira Align |
Affected:
unspecified , < 10.109.2
(custom)
|
Date Public
2022-08-12 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:14:28.397Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JIRAALIGN-4326"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-36802",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T14:14:10.164355Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T15:19:34.058Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Align",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "10.109.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-08-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The ManageJiraConnectors API in Atlassian Jira Align before version 10.109.2 allows remote attackers to exploit this issue to access internal network resources via a Server-Side Request Forgery. This can be exploited by a remote, unauthenticated attacker with Super Admin privileges by sending a specially crafted HTTP request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-14T00:00:00.000Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/JIRAALIGN-4326"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2022-36802",
"datePublished": "2022-10-14T03:45:14.385Z",
"dateReserved": "2022-07-26T00:00:00.000Z",
"dateUpdated": "2024-10-29T15:19:34.058Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}