CVE-2025-22157 Overview
CVE-2025-22157 is a high severity privilege escalation vulnerability affecting Atlassian Jira Core Data Center and Server, along with Jira Service Management Data Center and Server. The flaw allows an authenticated attacker with low privileges to perform actions as a higher-privileged user across the network. Atlassian disclosed the issue through its internal security program and published patches across multiple supported release lines. The vulnerability is categorized under [CWE-284] Improper Access Control and impacts both integrity and availability of the targeted Jira instance.
Critical Impact
An authenticated attacker can escalate privileges within Jira Core or Jira Service Management to perform actions reserved for higher-privileged accounts, undermining access controls protecting issue data, workflows, and administrative operations.
Affected Products
- Jira Core Data Center and Server versions 9.12.0, 10.3.0, 10.4.0, and 10.5.0
- Jira Service Management Data Center and Server versions 5.12.0, 10.3.0, 10.4.0, and 10.5.0
- Atlassian Jira Data Center and Jira Server deployments running affected releases
Discovery Timeline
- 2025-05-20 - CVE-2025-22157 published to NVD
- 2025-06-12 - Last updated in NVD database
- Reported via the Atlassian internal security program
Technical Details for CVE-2025-22157
Vulnerability Analysis
The vulnerability resides in the access control logic of Jira Core Data Center and Server, and Jira Service Management Data Center and Server. An authenticated user with low privileges can exploit the flaw over the network without user interaction to elevate their effective permissions. Successful exploitation enables the attacker to execute operations otherwise restricted to higher-privileged roles, which can include modifying project configurations, accessing restricted issues, or performing administrative actions depending on the targeted instance.
The weakness is classified as [CWE-284] Improper Access Control, indicating that the application fails to correctly enforce authorization checks on certain functions or resources. Because Jira deployments commonly hold sensitive project, customer, and engineering data, privilege escalation in this context can serve as a pivot for broader compromise of downstream integrations such as Confluence, Bitbucket, or CI/CD pipelines.
Root Cause
The root cause is improper enforcement of authorization within affected Jira endpoints. Authorization decisions do not adequately verify whether the requesting principal holds the privilege level required for the targeted operation, allowing low-privileged sessions to invoke higher-privileged behavior.
Attack Vector
Exploitation occurs over the network against a vulnerable Jira instance. The attacker requires valid low-privileged credentials but does not need user interaction. Atlassian has not published exploit details, and no public proof of concept is available at the time of writing. See the Atlassian advisory for JRASERVER-78766 and the JSDSERVER-16206 issue for additional vendor context.
Detection Methods for CVE-2025-22157
Indicators of Compromise
- Unexpected role or permission changes within Jira projects performed by accounts that historically lacked administrative rights
- Audit log entries showing low-privileged users invoking administrative REST endpoints or modifying workflow, scheme, or permission configurations
- Creation or modification of service desk requests, custom fields, or automation rules by accounts not authorized for those actions
Detection Strategies
- Review the Jira audit log for anomalies in permission scheme, project role, and global permission changes correlated with non-administrative accounts
- Monitor authenticated REST API calls to administrative paths under /rest/api/ and /rest/servicedeskapi/ originating from low-privileged session tokens
- Compare effective user permissions before and after suspicious activity windows to identify covert escalation
Monitoring Recommendations
- Forward Jira application logs and audit trails to a centralized SIEM for correlation with identity provider events
- Alert on bursts of HTTP 200 responses to administrative endpoints from accounts outside the administrator group
- Track failed access control checks and authorization errors that may indicate enumeration of the vulnerable functionality
How to Mitigate CVE-2025-22157
Immediate Actions Required
- Inventory all Jira Core and Jira Service Management Data Center and Server deployments and identify instances running affected versions
- Restrict network access to Jira management interfaces to trusted administrative networks until patches are applied
- Rotate credentials for any accounts suspected of abuse and review recent permission changes for unauthorized modifications
Patch Information
Atlassian recommends upgrading to the latest supported release. Customers unable to move to the latest version should upgrade to one of the following fixed releases: Jira Core Data Center and Server 9.12 to 9.12.20 or later, Jira Service Management Data Center and Server 5.12 to 5.12.20 or later, Jira Core and Jira Service Management Data Center 10.3 to 10.3.5 or later, Jira Core and Jira Service Management Data Center 10.4 to 10.6.0 or later, and Jira Core and Jira Service Management Data Center 10.5 to 10.5.1 or later. Refer to the Atlassian security advisory for the authoritative fix matrix and download links.
Workarounds
- No vendor-supplied workaround is published; upgrading to a fixed release is the supported remediation
- Limit Jira account provisioning so that only required users hold authenticated access, reducing the population able to exploit the flaw
- Place Jira behind a reverse proxy or VPN that enforces strict authentication and source IP restrictions until patching is complete
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
