Search

Find a vulnerability

Search criteria

    26 vulnerabilities found for jira_align by atlassian

    CVE-2025-22178 (GCVE-0-2025-22178)

    Vulnerability from nvd – Published: 2025-10-22 16:30 – Updated: 2025-10-22 17:21
    VLAI
    Summary
    Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view items on the "Why" page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Authorization
    • CWE-862 - Missing Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Align Unaffected: < 11.14.0
    Affected: >= 11.14.0
    Affected: >= 11.14.1
    Affected: >= 11.15.0
    Affected: >= 11.15.1
    Affected: >= 11.16.0
    Unaffected: >= 11.16.1
    Create a notification for this product.
    Credits
    Frank Lycops, NATO Cyber Security Centre
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-22178",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-22T17:21:18.410947Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-862",
                    "description": "CWE-862 Missing Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-22T17:21:57.848Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Align",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "\u003c 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.16.0"
                },
                {
                  "status": "unaffected",
                  "version": "\u003e= 11.16.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Frank Lycops, NATO Cyber Security Centre"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view items on the \"Why\" page."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "Improper Authorization"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-22T16:30:04.731Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "url": "https://jira.atlassian.com/browse/JIRAALIGN-8647"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2025-22178",
        "datePublished": "2025-10-22T16:30:04.731Z",
        "dateReserved": "2025-01-01T00:01:27.178Z",
        "dateUpdated": "2025-10-22T17:21:57.848Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-22177 (GCVE-0-2025-22177)

    Vulnerability from nvd – Published: 2025-10-22 16:30 – Updated: 2025-10-22 18:48
    VLAI
    Summary
    Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view other team overviews.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Authorization
    • CWE-285 - Improper Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Align Unaffected: < 11.14.0
    Affected: >= 11.14.0
    Affected: >= 11.14.1
    Affected: >= 11.15.0
    Affected: >= 11.15.1
    Affected: >= 11.16.0
    Unaffected: >= 11.16.1
    Create a notification for this product.
    Credits
    Frank Lycops, NATO Cyber Security Centre
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-22177",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-22T18:48:37.219728Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-285",
                    "description": "CWE-285 Improper Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-22T18:48:41.714Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Align",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "\u003c 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.16.0"
                },
                {
                  "status": "unaffected",
                  "version": "\u003e= 11.16.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Frank Lycops, NATO Cyber Security Centre"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view other team overviews."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "Improper Authorization"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-22T16:30:00.632Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "url": "https://jira.atlassian.com/browse/JIRAALIGN-8646"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2025-22177",
        "datePublished": "2025-10-22T16:30:00.632Z",
        "dateReserved": "2025-01-01T00:01:27.177Z",
        "dateUpdated": "2025-10-22T18:48:41.714Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-22176 (GCVE-0-2025-22176)

    Vulnerability from nvd – Published: 2025-10-22 16:30 – Updated: 2025-10-23 17:40
    VLAI
    Summary
    Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view audit log items.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Authorization
    • CWE-285 - Improper Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Align Unaffected: < 11.14.0
    Affected: >= 11.14.0
    Affected: >= 11.14.1
    Affected: >= 11.15.0
    Affected: >= 11.15.1
    Affected: >= 11.16.0
    Unaffected: >= 11.16.1
    Create a notification for this product.
    Credits
    Frank Lycops, NATO Cyber Security Centre
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-22176",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-23T17:40:44.569011Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-285",
                    "description": "CWE-285 Improper Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-23T17:40:48.512Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Align",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "\u003c 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.16.0"
                },
                {
                  "status": "unaffected",
                  "version": "\u003e= 11.16.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Frank Lycops, NATO Cyber Security Centre"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view audit log items."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "Improper Authorization"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-22T16:30:02.956Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "url": "https://jira.atlassian.com/browse/JIRAALIGN-8645"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2025-22176",
        "datePublished": "2025-10-22T16:30:02.956Z",
        "dateReserved": "2025-01-01T00:01:27.177Z",
        "dateUpdated": "2025-10-23T17:40:48.512Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-22175 (GCVE-0-2025-22175)

    Vulnerability from nvd – Published: 2025-10-22 16:30 – Updated: 2025-10-27 16:09
    VLAI
    Summary
    Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to modify the steps of another user's private checklist.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Authorization
    • CWE-285 - Improper Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Align Unaffected: < 11.14.0
    Affected: >= 11.14.0
    Affected: >= 11.14.1
    Affected: >= 11.15.0
    Affected: >= 11.15.1
    Affected: >= 11.16.0
    Unaffected: >= 11.16.1
    Create a notification for this product.
    Credits
    Frank Lycops, NATO Cyber Security Centre
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-22175",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-22T18:08:17.435004Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-285",
                    "description": "CWE-285 Improper Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-27T16:09:06.998Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Align",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "\u003c 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.16.0"
                },
                {
                  "status": "unaffected",
                  "version": "\u003e= 11.16.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Frank Lycops, NATO Cyber Security Centre"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to modify the steps of another user\u0027s private checklist."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "Improper Authorization"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-22T16:30:00.592Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "url": "https://jira.atlassian.com/browse/JIRAALIGN-8644"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2025-22175",
        "datePublished": "2025-10-22T16:30:00.592Z",
        "dateReserved": "2025-01-01T00:01:27.177Z",
        "dateUpdated": "2025-10-27T16:09:06.998Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-22174 (GCVE-0-2025-22174)

    Vulnerability from nvd – Published: 2025-10-22 16:30 – Updated: 2025-10-22 19:39
    VLAI
    Summary
    Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view portfolio rooms without the required permission.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Authorization
    • CWE-285 - Improper Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Align Unaffected: < 11.14.0
    Affected: >= 11.14.0
    Affected: >= 11.14.1
    Affected: >= 11.15.0
    Affected: >= 11.15.1
    Affected: >= 11.16.0
    Unaffected: >= 11.16.1
    Create a notification for this product.
    Credits
    Frank Lycops, NATO Cyber Security Centre
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-22174",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-22T19:39:21.470781Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-285",
                    "description": "CWE-285 Improper Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-22T19:39:25.240Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Align",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "\u003c 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.16.0"
                },
                {
                  "status": "unaffected",
                  "version": "\u003e= 11.16.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Frank Lycops, NATO Cyber Security Centre"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view portfolio rooms without the required permission."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "Improper Authorization"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-22T16:30:04.050Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "url": "https://jira.atlassian.com/browse/JIRAALIGN-8643"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2025-22174",
        "datePublished": "2025-10-22T16:30:04.050Z",
        "dateReserved": "2025-01-01T00:01:27.177Z",
        "dateUpdated": "2025-10-22T19:39:25.240Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-22173 (GCVE-0-2025-22173)

    Vulnerability from nvd – Published: 2025-10-22 16:30 – Updated: 2025-10-22 19:12
    VLAI
    Summary
    Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view certain sprint data without the required permission.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Authorization
    • CWE-285 - Improper Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Align Unaffected: < 11.14.0
    Affected: >= 11.14.0
    Affected: >= 11.14.1
    Affected: >= 11.15.0
    Affected: >= 11.15.1
    Affected: >= 11.16.0
    Unaffected: >= 11.16.1
    Create a notification for this product.
    Credits
    Frank Lycops, NATO Cyber Security Centre
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-22173",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-22T19:12:13.342584Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-285",
                    "description": "CWE-285 Improper Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-22T19:12:18.431Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Align",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "\u003c 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.16.0"
                },
                {
                  "status": "unaffected",
                  "version": "\u003e= 11.16.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Frank Lycops, NATO Cyber Security Centre"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view certain sprint data without the required permission."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "Improper Authorization"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-22T16:30:04.376Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "url": "https://jira.atlassian.com/browse/JIRAALIGN-8642"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2025-22173",
        "datePublished": "2025-10-22T16:30:04.376Z",
        "dateReserved": "2025-01-01T00:01:27.177Z",
        "dateUpdated": "2025-10-22T19:12:18.431Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-22172 (GCVE-0-2025-22172)

    Vulnerability from nvd – Published: 2025-10-22 16:30 – Updated: 2025-10-23 17:32
    VLAI
    Summary
    Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to read external reports without the required permission.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Authorization
    • CWE-285 - Improper Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Align Unaffected: < 11.14.0
    Affected: >= 11.14.0
    Affected: >= 11.14.1
    Affected: >= 11.15.0
    Affected: >= 11.15.1
    Affected: >= 11.16.0
    Unaffected: >= 11.16.1
    Create a notification for this product.
    Credits
    Frank Lycops, NATO Cyber Security Centre
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-22172",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-23T17:32:37.765130Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-285",
                    "description": "CWE-285 Improper Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-23T17:32:42.519Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Align",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "\u003c 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.16.0"
                },
                {
                  "status": "unaffected",
                  "version": "\u003e= 11.16.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Frank Lycops, NATO Cyber Security Centre"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to read external reports without the required permission."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "Improper Authorization"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-22T16:30:03.984Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "url": "https://jira.atlassian.com/browse/JIRAALIGN-8641"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2025-22172",
        "datePublished": "2025-10-22T16:30:03.984Z",
        "dateReserved": "2025-01-01T00:01:27.177Z",
        "dateUpdated": "2025-10-23T17:32:42.519Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-22171 (GCVE-0-2025-22171)

    Vulnerability from nvd – Published: 2025-10-22 16:30 – Updated: 2025-10-23 18:11
    VLAI
    Summary
    Jira Align is vulnerable to an authorization issue. A low-privilege user is able to alter the private checklists of other users.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Authorization
    • CWE-285 - Improper Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Align Unaffected: < 11.14.0
    Affected: >= 11.14.0
    Affected: >= 11.14.1
    Affected: >= 11.15.0
    Affected: >= 11.15.1
    Affected: >= 11.16.0
    Unaffected: >= 11.16.1
    Create a notification for this product.
    Credits
    Frank Lycops, NATO Cyber Security Centre
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-22171",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-23T18:11:49.143375Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-285",
                    "description": "CWE-285 Improper Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-23T18:11:55.056Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Align",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "\u003c 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.16.0"
                },
                {
                  "status": "unaffected",
                  "version": "\u003e= 11.16.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Frank Lycops, NATO Cyber Security Centre"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Jira Align is vulnerable to an authorization issue. A low-privilege user is able to alter the private checklists of other users."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "Improper Authorization"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-22T16:30:01.353Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "url": "https://jira.atlassian.com/browse/JIRAALIGN-8640"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2025-22171",
        "datePublished": "2025-10-22T16:30:01.353Z",
        "dateReserved": "2025-01-01T00:01:27.177Z",
        "dateUpdated": "2025-10-23T18:11:55.056Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-22170 (GCVE-0-2025-22170)

    Vulnerability from nvd – Published: 2025-10-22 16:30 – Updated: 2025-10-22 19:16
    VLAI
    Summary
    Jira Align is vulnerable to an authorization issue. A low-privilege user without sufficient privileges to perform an action could if they included a particular state-related parameter of a user with sufficient privileges to perform the action.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Authorization
    • CWE-285 - Improper Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Align Unaffected: < 11.14.0
    Affected: >= 11.14.0
    Affected: >= 11.14.1
    Affected: >= 11.15.0
    Affected: >= 11.15.1
    Affected: >= 11.16.0
    Unaffected: >= 11.16.1
    Create a notification for this product.
    Credits
    Frank Lycops, NATO Cyber Security Centre
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-22170",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-22T19:16:03.345408Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-285",
                    "description": "CWE-285 Improper Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-22T19:16:07.138Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Align",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "\u003c 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.16.0"
                },
                {
                  "status": "unaffected",
                  "version": "\u003e= 11.16.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Frank Lycops, NATO Cyber Security Centre"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Jira Align is vulnerable to an authorization issue. A low-privilege user without sufficient privileges to perform an action could if they included a particular state-related parameter of a user with sufficient privileges to perform the action."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "Improper Authorization"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-22T16:30:04.355Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "url": "https://jira.atlassian.com/browse/JIRAALIGN-8639"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2025-22170",
        "datePublished": "2025-10-22T16:30:04.355Z",
        "dateReserved": "2025-01-01T00:01:27.177Z",
        "dateUpdated": "2025-10-22T19:16:07.138Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-22169 (GCVE-0-2025-22169)

    Vulnerability from nvd – Published: 2025-10-22 16:30 – Updated: 2025-10-22 17:24
    VLAI
    Summary
    Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to subscribe to an item/object without having the expected permission level.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Authorization
    • CWE-285 - Improper Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Align Unaffected: < 11.14.0
    Affected: >= 11.14.0
    Affected: >= 11.14.1
    Affected: >= 11.15.0
    Affected: >= 11.15.1
    Affected: >= 11.16.0
    Unaffected: >= 11.16.1
    Create a notification for this product.
    Credits
    Frank Lycops, NATO Cyber Security Centre
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-22169",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-22T17:23:53.628155Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-285",
                    "description": "CWE-285 Improper Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-22T17:24:43.243Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Align",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "\u003c 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.16.0"
                },
                {
                  "status": "unaffected",
                  "version": "\u003e= 11.16.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Frank Lycops, NATO Cyber Security Centre"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to subscribe to an item/object without having the expected permission level."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "Improper Authorization"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-22T16:30:04.452Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "url": "https://jira.atlassian.com/browse/JIRAALIGN-8638"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2025-22169",
        "datePublished": "2025-10-22T16:30:04.452Z",
        "dateReserved": "2025-01-01T00:01:27.176Z",
        "dateUpdated": "2025-10-22T17:24:43.243Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-22168 (GCVE-0-2025-22168)

    Vulnerability from nvd – Published: 2025-10-22 16:30 – Updated: 2025-10-24 14:45
    VLAI
    Summary
    Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to read the steps of another user's private checklist.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Authorization
    • CWE-285 - Improper Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Align Unaffected: < 11.14.0
    Affected: >= 11.14.0
    Affected: >= 11.14.1
    Affected: >= 11.15.0
    Affected: >= 11.15.1
    Affected: >= 11.16.0
    Unaffected: >= 11.16.1
    Create a notification for this product.
    Credits
    Frank Lycops, NATO Cyber Security Centre
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-22168",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-24T14:45:17.604258Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-285",
                    "description": "CWE-285 Improper Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-24T14:45:20.537Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Align",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "\u003c 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.16.0"
                },
                {
                  "status": "unaffected",
                  "version": "\u003e= 11.16.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Frank Lycops, NATO Cyber Security Centre"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to read the steps of another user\u0027s private checklist."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "Improper Authorization"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-22T16:30:00.663Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "url": "https://jira.atlassian.com/browse/JIRAALIGN-8637"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2025-22168",
        "datePublished": "2025-10-22T16:30:00.663Z",
        "dateReserved": "2025-01-01T00:01:27.176Z",
        "dateUpdated": "2025-10-24T14:45:20.537Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-36803 (GCVE-0-2022-36803)

    Vulnerability from nvd – Published: 2022-10-14 03:45 – Updated: 2024-10-02 14:23
    VLAI
    Summary
    The MasterUserEdit API in Atlassian Jira Align Server before version 10.109.2 allows An authenticated attacker with the People role permission to use the MasterUserEdit API to modify any users role to Super Admin. This vulnerability was reported by Jacob Shafer from Bishop Fox.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Authorization
    • CWE-276 - Incorrect Default Permissions
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Align Affected: unspecified , < 10.109.2 (custom)
    Create a notification for this product.
    atlassian jira_align Affected: 0 , < 10.109.2 (custom)
        cpe:2.3:a:atlassian:jira_align:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2022-08-15 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T10:14:28.492Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JIRAALIGN-4281"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_align:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_align",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "10.109.2",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-36803",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-02T14:14:41.079148Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-276",
                    "description": "CWE-276 Incorrect Default Permissions",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-02T14:23:56.022Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Align",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "10.109.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2022-08-15T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The MasterUserEdit API in Atlassian Jira Align Server before version 10.109.2 allows An authenticated attacker with the People role permission to use the MasterUserEdit API to modify any users role to Super Admin. This vulnerability was reported by Jacob Shafer from Bishop Fox."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-10-14T00:00:00.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "url": "https://jira.atlassian.com/browse/JIRAALIGN-4281"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2022-36803",
        "datePublished": "2022-10-14T03:45:15.477Z",
        "dateReserved": "2022-07-26T00:00:00.000Z",
        "dateUpdated": "2024-10-02T14:23:56.022Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-36802 (GCVE-0-2022-36802)

    Vulnerability from nvd – Published: 2022-10-14 03:45 – Updated: 2024-10-29 15:19
    VLAI
    Summary
    The ManageJiraConnectors API in Atlassian Jira Align before version 10.109.2 allows remote attackers to exploit this issue to access internal network resources via a Server-Side Request Forgery. This can be exploited by a remote, unauthenticated attacker with Super Admin privileges by sending a specially crafted HTTP request.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Server-Side Request Forgery
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Align Affected: unspecified , < 10.109.2 (custom)
    Create a notification for this product.
    Date Public
    2022-08-12 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T10:14:28.397Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JIRAALIGN-4326"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.9,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-36802",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-02T14:14:10.164355Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-918",
                    "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-29T15:19:34.058Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Align",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "10.109.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2022-08-12T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The ManageJiraConnectors API in Atlassian Jira Align before version 10.109.2 allows remote attackers to exploit this issue to access internal network resources via a Server-Side Request Forgery. This can be exploited by a remote, unauthenticated attacker with Super Admin privileges by sending a specially crafted HTTP request."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Server-Side Request Forgery",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-10-14T00:00:00.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "url": "https://jira.atlassian.com/browse/JIRAALIGN-4326"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2022-36802",
        "datePublished": "2022-10-14T03:45:14.385Z",
        "dateReserved": "2022-07-26T00:00:00.000Z",
        "dateUpdated": "2024-10-29T15:19:34.058Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-22178 (GCVE-0-2025-22178)

    Vulnerability from cvelistv5 – Published: 2025-10-22 16:30 – Updated: 2025-10-22 17:21
    VLAI
    Summary
    Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view items on the "Why" page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Authorization
    • CWE-862 - Missing Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Align Unaffected: < 11.14.0
    Affected: >= 11.14.0
    Affected: >= 11.14.1
    Affected: >= 11.15.0
    Affected: >= 11.15.1
    Affected: >= 11.16.0
    Unaffected: >= 11.16.1
    Create a notification for this product.
    Credits
    Frank Lycops, NATO Cyber Security Centre
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-22178",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-22T17:21:18.410947Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-862",
                    "description": "CWE-862 Missing Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-22T17:21:57.848Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Align",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "\u003c 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.16.0"
                },
                {
                  "status": "unaffected",
                  "version": "\u003e= 11.16.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Frank Lycops, NATO Cyber Security Centre"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view items on the \"Why\" page."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "Improper Authorization"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-22T16:30:04.731Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "url": "https://jira.atlassian.com/browse/JIRAALIGN-8647"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2025-22178",
        "datePublished": "2025-10-22T16:30:04.731Z",
        "dateReserved": "2025-01-01T00:01:27.178Z",
        "dateUpdated": "2025-10-22T17:21:57.848Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-22169 (GCVE-0-2025-22169)

    Vulnerability from cvelistv5 – Published: 2025-10-22 16:30 – Updated: 2025-10-22 17:24
    VLAI
    Summary
    Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to subscribe to an item/object without having the expected permission level.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Authorization
    • CWE-285 - Improper Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Align Unaffected: < 11.14.0
    Affected: >= 11.14.0
    Affected: >= 11.14.1
    Affected: >= 11.15.0
    Affected: >= 11.15.1
    Affected: >= 11.16.0
    Unaffected: >= 11.16.1
    Create a notification for this product.
    Credits
    Frank Lycops, NATO Cyber Security Centre
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-22169",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-22T17:23:53.628155Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-285",
                    "description": "CWE-285 Improper Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-22T17:24:43.243Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Align",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "\u003c 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.16.0"
                },
                {
                  "status": "unaffected",
                  "version": "\u003e= 11.16.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Frank Lycops, NATO Cyber Security Centre"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to subscribe to an item/object without having the expected permission level."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "Improper Authorization"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-22T16:30:04.452Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "url": "https://jira.atlassian.com/browse/JIRAALIGN-8638"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2025-22169",
        "datePublished": "2025-10-22T16:30:04.452Z",
        "dateReserved": "2025-01-01T00:01:27.176Z",
        "dateUpdated": "2025-10-22T17:24:43.243Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-22173 (GCVE-0-2025-22173)

    Vulnerability from cvelistv5 – Published: 2025-10-22 16:30 – Updated: 2025-10-22 19:12
    VLAI
    Summary
    Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view certain sprint data without the required permission.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Authorization
    • CWE-285 - Improper Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Align Unaffected: < 11.14.0
    Affected: >= 11.14.0
    Affected: >= 11.14.1
    Affected: >= 11.15.0
    Affected: >= 11.15.1
    Affected: >= 11.16.0
    Unaffected: >= 11.16.1
    Create a notification for this product.
    Credits
    Frank Lycops, NATO Cyber Security Centre
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-22173",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-22T19:12:13.342584Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-285",
                    "description": "CWE-285 Improper Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-22T19:12:18.431Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Align",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "\u003c 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.16.0"
                },
                {
                  "status": "unaffected",
                  "version": "\u003e= 11.16.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Frank Lycops, NATO Cyber Security Centre"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view certain sprint data without the required permission."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "Improper Authorization"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-22T16:30:04.376Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "url": "https://jira.atlassian.com/browse/JIRAALIGN-8642"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2025-22173",
        "datePublished": "2025-10-22T16:30:04.376Z",
        "dateReserved": "2025-01-01T00:01:27.177Z",
        "dateUpdated": "2025-10-22T19:12:18.431Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-22170 (GCVE-0-2025-22170)

    Vulnerability from cvelistv5 – Published: 2025-10-22 16:30 – Updated: 2025-10-22 19:16
    VLAI
    Summary
    Jira Align is vulnerable to an authorization issue. A low-privilege user without sufficient privileges to perform an action could if they included a particular state-related parameter of a user with sufficient privileges to perform the action.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Authorization
    • CWE-285 - Improper Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Align Unaffected: < 11.14.0
    Affected: >= 11.14.0
    Affected: >= 11.14.1
    Affected: >= 11.15.0
    Affected: >= 11.15.1
    Affected: >= 11.16.0
    Unaffected: >= 11.16.1
    Create a notification for this product.
    Credits
    Frank Lycops, NATO Cyber Security Centre
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-22170",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-22T19:16:03.345408Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-285",
                    "description": "CWE-285 Improper Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-22T19:16:07.138Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Align",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "\u003c 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.16.0"
                },
                {
                  "status": "unaffected",
                  "version": "\u003e= 11.16.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Frank Lycops, NATO Cyber Security Centre"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Jira Align is vulnerable to an authorization issue. A low-privilege user without sufficient privileges to perform an action could if they included a particular state-related parameter of a user with sufficient privileges to perform the action."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "Improper Authorization"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-22T16:30:04.355Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "url": "https://jira.atlassian.com/browse/JIRAALIGN-8639"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2025-22170",
        "datePublished": "2025-10-22T16:30:04.355Z",
        "dateReserved": "2025-01-01T00:01:27.177Z",
        "dateUpdated": "2025-10-22T19:16:07.138Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-22174 (GCVE-0-2025-22174)

    Vulnerability from cvelistv5 – Published: 2025-10-22 16:30 – Updated: 2025-10-22 19:39
    VLAI
    Summary
    Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view portfolio rooms without the required permission.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Authorization
    • CWE-285 - Improper Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Align Unaffected: < 11.14.0
    Affected: >= 11.14.0
    Affected: >= 11.14.1
    Affected: >= 11.15.0
    Affected: >= 11.15.1
    Affected: >= 11.16.0
    Unaffected: >= 11.16.1
    Create a notification for this product.
    Credits
    Frank Lycops, NATO Cyber Security Centre
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-22174",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-22T19:39:21.470781Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-285",
                    "description": "CWE-285 Improper Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-22T19:39:25.240Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Align",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "\u003c 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.16.0"
                },
                {
                  "status": "unaffected",
                  "version": "\u003e= 11.16.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Frank Lycops, NATO Cyber Security Centre"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view portfolio rooms without the required permission."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "Improper Authorization"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-22T16:30:04.050Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "url": "https://jira.atlassian.com/browse/JIRAALIGN-8643"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2025-22174",
        "datePublished": "2025-10-22T16:30:04.050Z",
        "dateReserved": "2025-01-01T00:01:27.177Z",
        "dateUpdated": "2025-10-22T19:39:25.240Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-22172 (GCVE-0-2025-22172)

    Vulnerability from cvelistv5 – Published: 2025-10-22 16:30 – Updated: 2025-10-23 17:32
    VLAI
    Summary
    Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to read external reports without the required permission.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Authorization
    • CWE-285 - Improper Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Align Unaffected: < 11.14.0
    Affected: >= 11.14.0
    Affected: >= 11.14.1
    Affected: >= 11.15.0
    Affected: >= 11.15.1
    Affected: >= 11.16.0
    Unaffected: >= 11.16.1
    Create a notification for this product.
    Credits
    Frank Lycops, NATO Cyber Security Centre
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-22172",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-23T17:32:37.765130Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-285",
                    "description": "CWE-285 Improper Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-23T17:32:42.519Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Align",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "\u003c 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.16.0"
                },
                {
                  "status": "unaffected",
                  "version": "\u003e= 11.16.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Frank Lycops, NATO Cyber Security Centre"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to read external reports without the required permission."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "Improper Authorization"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-22T16:30:03.984Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "url": "https://jira.atlassian.com/browse/JIRAALIGN-8641"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2025-22172",
        "datePublished": "2025-10-22T16:30:03.984Z",
        "dateReserved": "2025-01-01T00:01:27.177Z",
        "dateUpdated": "2025-10-23T17:32:42.519Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-22176 (GCVE-0-2025-22176)

    Vulnerability from cvelistv5 – Published: 2025-10-22 16:30 – Updated: 2025-10-23 17:40
    VLAI
    Summary
    Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view audit log items.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Authorization
    • CWE-285 - Improper Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Align Unaffected: < 11.14.0
    Affected: >= 11.14.0
    Affected: >= 11.14.1
    Affected: >= 11.15.0
    Affected: >= 11.15.1
    Affected: >= 11.16.0
    Unaffected: >= 11.16.1
    Create a notification for this product.
    Credits
    Frank Lycops, NATO Cyber Security Centre
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-22176",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-23T17:40:44.569011Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-285",
                    "description": "CWE-285 Improper Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-23T17:40:48.512Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Align",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "\u003c 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.16.0"
                },
                {
                  "status": "unaffected",
                  "version": "\u003e= 11.16.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Frank Lycops, NATO Cyber Security Centre"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view audit log items."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "Improper Authorization"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-22T16:30:02.956Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "url": "https://jira.atlassian.com/browse/JIRAALIGN-8645"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2025-22176",
        "datePublished": "2025-10-22T16:30:02.956Z",
        "dateReserved": "2025-01-01T00:01:27.177Z",
        "dateUpdated": "2025-10-23T17:40:48.512Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-22171 (GCVE-0-2025-22171)

    Vulnerability from cvelistv5 – Published: 2025-10-22 16:30 – Updated: 2025-10-23 18:11
    VLAI
    Summary
    Jira Align is vulnerable to an authorization issue. A low-privilege user is able to alter the private checklists of other users.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Authorization
    • CWE-285 - Improper Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Align Unaffected: < 11.14.0
    Affected: >= 11.14.0
    Affected: >= 11.14.1
    Affected: >= 11.15.0
    Affected: >= 11.15.1
    Affected: >= 11.16.0
    Unaffected: >= 11.16.1
    Create a notification for this product.
    Credits
    Frank Lycops, NATO Cyber Security Centre
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-22171",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-23T18:11:49.143375Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-285",
                    "description": "CWE-285 Improper Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-23T18:11:55.056Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Align",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "\u003c 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.16.0"
                },
                {
                  "status": "unaffected",
                  "version": "\u003e= 11.16.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Frank Lycops, NATO Cyber Security Centre"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Jira Align is vulnerable to an authorization issue. A low-privilege user is able to alter the private checklists of other users."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "Improper Authorization"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-22T16:30:01.353Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "url": "https://jira.atlassian.com/browse/JIRAALIGN-8640"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2025-22171",
        "datePublished": "2025-10-22T16:30:01.353Z",
        "dateReserved": "2025-01-01T00:01:27.177Z",
        "dateUpdated": "2025-10-23T18:11:55.056Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-22168 (GCVE-0-2025-22168)

    Vulnerability from cvelistv5 – Published: 2025-10-22 16:30 – Updated: 2025-10-24 14:45
    VLAI
    Summary
    Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to read the steps of another user's private checklist.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Authorization
    • CWE-285 - Improper Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Align Unaffected: < 11.14.0
    Affected: >= 11.14.0
    Affected: >= 11.14.1
    Affected: >= 11.15.0
    Affected: >= 11.15.1
    Affected: >= 11.16.0
    Unaffected: >= 11.16.1
    Create a notification for this product.
    Credits
    Frank Lycops, NATO Cyber Security Centre
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-22168",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-24T14:45:17.604258Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-285",
                    "description": "CWE-285 Improper Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-24T14:45:20.537Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Align",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "\u003c 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.16.0"
                },
                {
                  "status": "unaffected",
                  "version": "\u003e= 11.16.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Frank Lycops, NATO Cyber Security Centre"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to read the steps of another user\u0027s private checklist."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "Improper Authorization"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-22T16:30:00.663Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "url": "https://jira.atlassian.com/browse/JIRAALIGN-8637"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2025-22168",
        "datePublished": "2025-10-22T16:30:00.663Z",
        "dateReserved": "2025-01-01T00:01:27.176Z",
        "dateUpdated": "2025-10-24T14:45:20.537Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-22177 (GCVE-0-2025-22177)

    Vulnerability from cvelistv5 – Published: 2025-10-22 16:30 – Updated: 2025-10-22 18:48
    VLAI
    Summary
    Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view other team overviews.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Authorization
    • CWE-285 - Improper Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Align Unaffected: < 11.14.0
    Affected: >= 11.14.0
    Affected: >= 11.14.1
    Affected: >= 11.15.0
    Affected: >= 11.15.1
    Affected: >= 11.16.0
    Unaffected: >= 11.16.1
    Create a notification for this product.
    Credits
    Frank Lycops, NATO Cyber Security Centre
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-22177",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-22T18:48:37.219728Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-285",
                    "description": "CWE-285 Improper Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-22T18:48:41.714Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Align",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "\u003c 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.16.0"
                },
                {
                  "status": "unaffected",
                  "version": "\u003e= 11.16.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Frank Lycops, NATO Cyber Security Centre"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to view other team overviews."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "Improper Authorization"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-22T16:30:00.632Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "url": "https://jira.atlassian.com/browse/JIRAALIGN-8646"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2025-22177",
        "datePublished": "2025-10-22T16:30:00.632Z",
        "dateReserved": "2025-01-01T00:01:27.177Z",
        "dateUpdated": "2025-10-22T18:48:41.714Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-22175 (GCVE-0-2025-22175)

    Vulnerability from cvelistv5 – Published: 2025-10-22 16:30 – Updated: 2025-10-27 16:09
    VLAI
    Summary
    Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to modify the steps of another user's private checklist.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Authorization
    • CWE-285 - Improper Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Align Unaffected: < 11.14.0
    Affected: >= 11.14.0
    Affected: >= 11.14.1
    Affected: >= 11.15.0
    Affected: >= 11.15.1
    Affected: >= 11.16.0
    Unaffected: >= 11.16.1
    Create a notification for this product.
    Credits
    Frank Lycops, NATO Cyber Security Centre
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-22175",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-22T18:08:17.435004Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-285",
                    "description": "CWE-285 Improper Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-27T16:09:06.998Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Align",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "\u003c 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.14.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.0"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.15.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 11.16.0"
                },
                {
                  "status": "unaffected",
                  "version": "\u003e= 11.16.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Frank Lycops, NATO Cyber Security Centre"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Jira Align is vulnerable to an authorization issue. A low-privilege user can access unexpected endpoints that disclose a small amount of sensitive information. For example, a low-level user was able to modify the steps of another user\u0027s private checklist."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "Improper Authorization"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-22T16:30:00.592Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "url": "https://jira.atlassian.com/browse/JIRAALIGN-8644"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2025-22175",
        "datePublished": "2025-10-22T16:30:00.592Z",
        "dateReserved": "2025-01-01T00:01:27.177Z",
        "dateUpdated": "2025-10-27T16:09:06.998Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-36803 (GCVE-0-2022-36803)

    Vulnerability from cvelistv5 – Published: 2022-10-14 03:45 – Updated: 2024-10-02 14:23
    VLAI
    Summary
    The MasterUserEdit API in Atlassian Jira Align Server before version 10.109.2 allows An authenticated attacker with the People role permission to use the MasterUserEdit API to modify any users role to Super Admin. This vulnerability was reported by Jacob Shafer from Bishop Fox.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Authorization
    • CWE-276 - Incorrect Default Permissions
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Align Affected: unspecified , < 10.109.2 (custom)
    Create a notification for this product.
    atlassian jira_align Affected: 0 , < 10.109.2 (custom)
        cpe:2.3:a:atlassian:jira_align:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2022-08-15 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T10:14:28.492Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JIRAALIGN-4281"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_align:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_align",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "10.109.2",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-36803",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-02T14:14:41.079148Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-276",
                    "description": "CWE-276 Incorrect Default Permissions",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-02T14:23:56.022Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Align",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "10.109.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2022-08-15T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The MasterUserEdit API in Atlassian Jira Align Server before version 10.109.2 allows An authenticated attacker with the People role permission to use the MasterUserEdit API to modify any users role to Super Admin. This vulnerability was reported by Jacob Shafer from Bishop Fox."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-10-14T00:00:00.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "url": "https://jira.atlassian.com/browse/JIRAALIGN-4281"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2022-36803",
        "datePublished": "2022-10-14T03:45:15.477Z",
        "dateReserved": "2022-07-26T00:00:00.000Z",
        "dateUpdated": "2024-10-02T14:23:56.022Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-36802 (GCVE-0-2022-36802)

    Vulnerability from cvelistv5 – Published: 2022-10-14 03:45 – Updated: 2024-10-29 15:19
    VLAI
    Summary
    The ManageJiraConnectors API in Atlassian Jira Align before version 10.109.2 allows remote attackers to exploit this issue to access internal network resources via a Server-Side Request Forgery. This can be exploited by a remote, unauthenticated attacker with Super Admin privileges by sending a specially crafted HTTP request.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Server-Side Request Forgery
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Align Affected: unspecified , < 10.109.2 (custom)
    Create a notification for this product.
    Date Public
    2022-08-12 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T10:14:28.397Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JIRAALIGN-4326"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.9,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-36802",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-02T14:14:10.164355Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-918",
                    "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-29T15:19:34.058Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Align",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "10.109.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2022-08-12T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The ManageJiraConnectors API in Atlassian Jira Align before version 10.109.2 allows remote attackers to exploit this issue to access internal network resources via a Server-Side Request Forgery. This can be exploited by a remote, unauthenticated attacker with Super Admin privileges by sending a specially crafted HTTP request."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Server-Side Request Forgery",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-10-14T00:00:00.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "url": "https://jira.atlassian.com/browse/JIRAALIGN-4326"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2022-36802",
        "datePublished": "2022-10-14T03:45:14.385Z",
        "dateReserved": "2022-07-26T00:00:00.000Z",
        "dateUpdated": "2024-10-29T15:19:34.058Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }