Vulnerability-Lookup

BDU:2025-06344

Vulnerability from fstec - Published: 23.04.2025

Title

Уязвимость функций «Print» и «Export Word» программного продукта обработки данных Atlassian Jira Service Management Data Center and Server, позволяющая нарушителю повысить свои привилегии

Description

Уязвимость функций «Print» и «Export Word» программного продукта обработки данных Atlassian Jira Service Management Data Center and Server связана с недостатками разграничения доступа. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, повысить свои привилегии

Severity ?


                    
                      AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H


                    
                      AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

Vendor

Atlassian

Software Name

Jira Service Management Server and Data Center, Jira Data Center, Jira Service Management Data Center

Software Version

от 10.5.0 до 10.5.1 (Jira Service Management Server and Data Center), от 10.4.0 до 10.4.1 (Jira Service Management Server and Data Center), от 10.3.0 до 10.3.4 (LTS) (Jira Service Management Server and Data Center), от 10.2.0 до 10.2.1 (Jira Service Management Server and Data Center), от 10.1.1 до 10.1.2 (Jira Service Management Server and Data Center), от 10.0.0 до 10.0.1 (Jira Service Management Server and Data Center), от 5.17.0 до 5.17.5 (Jira Service Management Server and Data Center), от 5.16.0 до 5.16.1 (Jira Service Management Server and Data Center), 5.15.2 (Jira Service Management Server and Data Center), от 5.14.0 до 5.14.1 (Jira Service Management Server and Data Center), от 9.12.0 до 9.12.20 (Jira Data Center), от 10.3.0 до 10.3.5 (Jira Data Center), от 10.4.0 до 10.5.1 (Jira Data Center), от 5.12.0 до 9.12.20 (Jira Service Management Data Center), от 10.3.0 до 10.3.5 (Jira Service Management Data Center), от 10.5.0 до 10.6.0 (Jira Service Management Data Center), от 10.4.0 до 10.5.1 (Jira Service Management Data Center)

Possible Mitigations

Использование рекомендаций производителя: https://confluence.atlassian.com/pages/viewpage.action?pageId=1561365992 https://jira.atlassian.com/browse/JRASERVER-78766 https://jira.atlassian.com/browse/JSDSERVER-16206 https://www.atlassian.com/software/jira/core/download Компенсирующие меры: В случае невозможности установки обновления программного обеспечения рекомендуется ограничить доступ недоверенных пользователей к программному обеспечению сторонними средствами защиты с использованием технологии "белых" и "черных" списков.

Reference

https://confluence.atlassian.com/pages/viewpage.action?pageId=1561365992 https://jira.atlassian.com/browse/JRASERVER-78766 https://jira.atlassian.com/browse/JSDSERVER-16206

CWE

CWE-284

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:S/C:P/I:C/A:C",
  "CVSS 3.0": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
  "CVSS 4.0": "AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N",
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Atlassian",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "\u043e\u0442 10.5.0 \u0434\u043e 10.5.1 (Jira Service Management Server and Data Center), \u043e\u0442 10.4.0 \u0434\u043e 10.4.1 (Jira Service Management Server and Data Center), \u043e\u0442 10.3.0 \u0434\u043e 10.3.4 (LTS) (Jira Service Management Server and Data Center), \u043e\u0442 10.2.0 \u0434\u043e 10.2.1 (Jira Service Management Server and Data Center), \u043e\u0442 10.1.1 \u0434\u043e 10.1.2 (Jira Service Management Server and Data Center), \u043e\u0442 10.0.0 \u0434\u043e 10.0.1 (Jira Service Management Server and Data Center), \u043e\u0442 5.17.0 \u0434\u043e 5.17.5 (Jira Service Management Server and Data Center), \u043e\u0442 5.16.0 \u0434\u043e 5.16.1 (Jira Service Management Server and Data Center), 5.15.2 (Jira Service Management Server and Data Center), \u043e\u0442 5.14.0 \u0434\u043e 5.14.1 (Jira Service Management Server and Data Center), \u043e\u0442 9.12.0 \u0434\u043e 9.12.20 (Jira Data Center), \u043e\u0442 10.3.0 \u0434\u043e 10.3.5 (Jira Data Center), \u043e\u0442 10.4.0 \u0434\u043e 10.5.1 (Jira Data Center), \u043e\u0442 5.12.0 \u0434\u043e 9.12.20 (Jira Service Management Data Center), \u043e\u0442 10.3.0 \u0434\u043e 10.3.5 (Jira Service Management Data Center), \u043e\u0442 10.5.0 \u0434\u043e 10.6.0 (Jira Service Management Data Center), \u043e\u0442 10.4.0 \u0434\u043e 10.5.1 (Jira Service Management Data Center)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f:\nhttps://confluence.atlassian.com/pages/viewpage.action?pageId=1561365992\t\nhttps://jira.atlassian.com/browse/JRASERVER-78766\t\nhttps://jira.atlassian.com/browse/JSDSERVER-16206\nhttps://www.atlassian.com/software/jira/core/download\n\n\u041a\u043e\u043c\u043f\u0435\u043d\u0441\u0438\u0440\u0443\u044e\u0449\u0438\u0435 \u043c\u0435\u0440\u044b:\n\u0412 \u0441\u043b\u0443\u0447\u0430\u0435 \u043d\u0435\u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0438 \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0438 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442\u0441\u044f \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043d\u0435\u0434\u043e\u0432\u0435\u0440\u0435\u043d\u043d\u044b\u0445 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439 \u043a \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u043c\u0443 \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044e \u0441\u0442\u043e\u0440\u043e\u043d\u043d\u0438\u043c\u0438 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430\u043c\u0438 \u0437\u0430\u0449\u0438\u0442\u044b \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u0442\u0435\u0445\u043d\u043e\u043b\u043e\u0433\u0438\u0438 \"\u0431\u0435\u043b\u044b\u0445\" \u0438 \"\u0447\u0435\u0440\u043d\u044b\u0445\" \u0441\u043f\u0438\u0441\u043a\u043e\u0432.",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "23.04.2025",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "05.06.2025",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "04.06.2025",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2025-06344",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2025-22157",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0430\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u044b",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Jira Service Management Server and Data Center, Jira Data Center, Jira Service Management Data Center",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0439 \u00abPrint\u00bb \u0438 \u00abExport Word\u00bb \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u0430 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0438 \u0434\u0430\u043d\u043d\u044b\u0445 Atlassian Jira Service Management Data Center and Server, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u0441\u0432\u043e\u0438 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044c \u0434\u043e\u0441\u0442\u0443\u043f\u0430 (CWE-284)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0439 \u00abPrint\u00bb \u0438 \u00abExport Word\u00bb \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u0430 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0438 \u0434\u0430\u043d\u043d\u044b\u0445 Atlassian Jira Service Management Data Center and Server \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043a\u0430\u043c\u0438 \u0440\u0430\u0437\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u0430. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u0441\u0432\u043e\u0438 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041d\u0430\u0440\u0443\u0448\u0435\u043d\u0438\u0435 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1561365992\t\nhttps://jira.atlassian.com/browse/JRASERVER-78766\t\nhttps://jira.atlassian.com/browse/JSDSERVER-16206",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c, \u041f\u041e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e-\u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-284",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 8,7)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 8,3)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u043e\u0446\u0435\u043d\u043a\u0430 CVSS 4.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,2)"
}

CVE-2025-22157 (GCVE-0-2025-22157)

Vulnerability from cvelistv5 – Published: 2025-05-20 18:00 – Updated: 2026-02-26 18:28

Summary

This High severity PrivEsc (Privilege Escalation) vulnerability was introduced in versions: 9.12.0, 10.3.0, 10.4.0, and 10.5.0 of Jira Core Data Center and Server 5.12.0, 10.3.0, 10.4.0, and 10.5.0 of Jira Service Management Data Center and Server This PrivEsc (Privilege Escalation) vulnerability, with a CVSS Score of 7.2, allows an attacker to perform actions as a higher-privileged user. Atlassian recommends that Jira Core Data Center and Server and Jira Service Management Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Core Data Center and Server 9.12: Upgrade to a release greater than or equal to 9.12.20 Jira Service Management Data Center and Server 5.12: Upgrade to a release greater than or equal to 5.12.20 Jira Core Data Center 10.3: Upgrade to a release greater than or equal to 10.3.5 Jira Service Management Data Center 10.3: Upgrade to a release greater than or equal to 10.3.5 Jira Core Data Center 10.4: Upgrade to a release greater than or equal to 10.6.0 Jira Service Management Data Center 10.4: Upgrade to a release greater than or equal to 10.6.0 Jira Core Data Center 10.5: Upgrade to a release greater than or equal to 10.5.1 Jira Service Management Data Center 10.5: Upgrade to a release greater than or equal to 10.5.1 See the release notes. You can download the latest version of Jira Core Data Center and Jira Service Management Data Center from the download center. This vulnerability was reported via our Atlassian (Internal) program.

Severity ?

7.2 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

PrivEsc (Privilege Escalation)

Assigner

atlassian

References

URL

Tags

	https://confluence.atlassian.com/pages/viewpage.a…
	https://jira.atlassian.com/browse/JRASERVER-78766
	https://jira.atlassian.com/browse/JSDSERVER-16206

Impacted products

Vendor

Product

Version

Atlassian

Jira Core Data Center

Affected: 10.5.0
Affected: 10.4.0 to 10.4.1
Affected: 10.3.0 to 10.3.4
Affected: 9.12.0 to 9.12.19
Unaffected: 10.6.0
Unaffected: 10.5.1
Unaffected: 10.3.5 to 10.3.6
Unaffected: 9.12.22 to 9.12.23

Atlassian	Jira Core Server	Affected: 9.12.0 to 9.12.19 Unaffected: 9.12.22 to 9.12.23
Atlassian	Jira Service Management Data Center	Affected: 10.5.0 Affected: 10.4.0 to 10.4.1 Affected: 10.3.0 to 10.3.4 Affected: 5.12.0 to 5.12.19 Unaffected: 10.6.0 Unaffected: 10.5.1 Unaffected: 10.3.5 to 10.3.6 Unaffected: 5.12.22 to 5.12.23
Atlassian	Jira Service Management Server	Affected: 5.12.0 to 5.12.19 Unaffected: 5.12.22 to 5.12.23

Credits

Internal (Atlassian)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-22157",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-21T03:55:33.263670Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-284",
                "description": "CWE-284 Improper Access Control",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T18:28:05.031Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Jira Core Data Center",
          "vendor": "Atlassian",
          "versions": [
            {
              "status": "affected",
              "version": "10.5.0"
            },
            {
              "status": "affected",
              "version": "10.4.0 to 10.4.1"
            },
            {
              "status": "affected",
              "version": "10.3.0 to 10.3.4"
            },
            {
              "status": "affected",
              "version": "9.12.0 to 9.12.19"
            },
            {
              "status": "unaffected",
              "version": "10.6.0"
            },
            {
              "status": "unaffected",
              "version": "10.5.1"
            },
            {
              "status": "unaffected",
              "version": "10.3.5 to 10.3.6"
            },
            {
              "status": "unaffected",
              "version": "9.12.22 to 9.12.23"
            }
          ]
        },
        {
          "product": "Jira Core Server",
          "vendor": "Atlassian",
          "versions": [
            {
              "status": "affected",
              "version": "9.12.0 to 9.12.19"
            },
            {
              "status": "unaffected",
              "version": "9.12.22 to 9.12.23"
            }
          ]
        },
        {
          "product": "Jira Service Management Data Center",
          "vendor": "Atlassian",
          "versions": [
            {
              "status": "affected",
              "version": "10.5.0"
            },
            {
              "status": "affected",
              "version": "10.4.0 to 10.4.1"
            },
            {
              "status": "affected",
              "version": "10.3.0 to 10.3.4"
            },
            {
              "status": "affected",
              "version": "5.12.0 to 5.12.19"
            },
            {
              "status": "unaffected",
              "version": "10.6.0"
            },
            {
              "status": "unaffected",
              "version": "10.5.1"
            },
            {
              "status": "unaffected",
              "version": "10.3.5 to 10.3.6"
            },
            {
              "status": "unaffected",
              "version": "5.12.22 to 5.12.23"
            }
          ]
        },
        {
          "product": "Jira Service Management Server",
          "vendor": "Atlassian",
          "versions": [
            {
              "status": "affected",
              "version": "5.12.0 to 5.12.19"
            },
            {
              "status": "unaffected",
              "version": "5.12.22 to 5.12.23"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:atlassian:jira_core:10.5.0:*:*:*:data_center:*:*:*",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:atlassian:jira_core:*:*:*:*:data_center:*:*:*",
                  "versionEndIncluding": "10.4.1",
                  "versionStartIncluding": "10.4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:atlassian:jira_core:*:*:*:*:data_center:*:*:*",
                  "versionEndIncluding": "10.3.4",
                  "versionStartIncluding": "10.3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:atlassian:jira_core:*:*:*:*:data_center:*:*:*",
                  "versionEndIncluding": "9.12.19",
                  "versionStartIncluding": "9.12.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:atlassian:jira_core:10.6.0:*:*:*:data_center:*:*:*",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:atlassian:jira_core:10.5.1:*:*:*:data_center:*:*:*",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:atlassian:jira_core:*:*:*:*:data_center:*:*:*",
                  "versionEndIncluding": "10.3.6",
                  "versionStartIncluding": "10.3.5",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:atlassian:jira_core:*:*:*:*:data_center:*:*:*",
                  "versionEndIncluding": "9.12.23",
                  "versionStartIncluding": "9.12.22",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:atlassian:jira_core:*:*:*:*:server:*:*:*",
                  "versionEndIncluding": "9.12.19",
                  "versionStartIncluding": "9.12.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:atlassian:jira_core:*:*:*:*:server:*:*:*",
                  "versionEndIncluding": "9.12.23",
                  "versionStartIncluding": "9.12.22",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:atlassian:jira_service_management:10.5.0:*:*:*:data_center:*:*:*",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*",
                  "versionEndIncluding": "10.4.1",
                  "versionStartIncluding": "10.4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*",
                  "versionEndIncluding": "10.3.4",
                  "versionStartIncluding": "10.3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*",
                  "versionEndIncluding": "5.12.19",
                  "versionStartIncluding": "5.12.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:atlassian:jira_service_management:10.6.0:*:*:*:data_center:*:*:*",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:atlassian:jira_service_management:10.5.1:*:*:*:data_center:*:*:*",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*",
                  "versionEndIncluding": "10.3.6",
                  "versionStartIncluding": "10.3.5",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*",
                  "versionEndIncluding": "5.12.23",
                  "versionStartIncluding": "5.12.22",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*",
                  "versionEndIncluding": "5.12.19",
                  "versionStartIncluding": "5.12.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*",
                  "versionEndIncluding": "5.12.23",
                  "versionStartIncluding": "5.12.22",
                  "vulnerable": false
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Internal (Atlassian)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "This High severity PrivEsc (Privilege Escalation) vulnerability was introduced in versions:\n\n9.12.0, 10.3.0, 10.4.0, and 10.5.0 of Jira Core Data Center and Server\n\n5.12.0, 10.3.0, 10.4.0, and 10.5.0 of Jira Service Management Data Center and Server\n\nThis PrivEsc (Privilege Escalation) vulnerability, with a CVSS Score of 7.2, allows an attacker to perform actions as a higher-privileged user. \n\nAtlassian recommends that Jira Core Data Center and Server and Jira Service Management Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\n\nJira Core Data Center and Server 9.12: Upgrade to a release greater than or equal to 9.12.20\n\nJira Service Management Data Center and Server 5.12: Upgrade to a release greater than or equal to 5.12.20\n\nJira Core Data Center 10.3: Upgrade to a release greater than or equal to 10.3.5\n\nJira Service Management Data Center 10.3: Upgrade to a release greater than or equal to 10.3.5\n\nJira Core Data Center 10.4: Upgrade to a release greater than or equal to 10.6.0\n\nJira Service Management Data Center 10.4: Upgrade to a release greater than or equal to 10.6.0\n\nJira Core Data Center 10.5: Upgrade to a release greater than or equal to 10.5.1\n\nJira Service Management Data Center 10.5: Upgrade to a release greater than or equal to 10.5.1\n\nSee the release notes. You can download the latest version of Jira Core Data Center and Jira Service Management Data Center from the download center. \n\nThis vulnerability was reported via our Atlassian (Internal) program."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "PrivEsc (Privilege Escalation)",
              "lang": "en",
              "type": "PrivEsc (Privilege Escalation)"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-20T18:00:01.328Z",
        "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "shortName": "atlassian"
      },
      "references": [
        {
          "url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1561365992"
        },
        {
          "url": "https://jira.atlassian.com/browse/JRASERVER-78766"
        },
        {
          "url": "https://jira.atlassian.com/browse/JSDSERVER-16206"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
    "assignerShortName": "atlassian",
    "cveId": "CVE-2025-22157",
    "datePublished": "2025-05-20T18:00:01.328Z",
    "dateReserved": "2025-01-01T00:01:27.175Z",
    "dateUpdated": "2026-02-26T18:28:05.031Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

BDU:2025-06344

CVE-2025-22157 (GCVE-0-2025-22157)

Tags

Sightings

Nomenclature