Jira Path Traversal Flaw (CVE-2025-22167) Allows Arbitrary File Write on Server/Data Center

Atlassian has released patches addressing a high-severity Path Traversal vulnerability (CVE-2025-22167) affecting Jira Software Data Center and Server as well as Jira Service Management Data Center and Server. The flaw, rated CVSS 8.7, allows attackers to perform arbitrary file writes on systems running vulnerable Jira versions, potentially leading to data corruption or remote code execution if chained with other exploits.

“This Path Traversal (Arbitrary Write) vulnerability, with a CVSS Score of 8.7, allows an attacker to modify any filesystem path writable by the Jira JVM process,” Atlassian warned in its advisory.

The vulnerability, tracked as CVE-2025-22167, was introduced in Jira Software versions 9.12.0 and 10.3.0, persisting through 11.0.0. For Jira Service Management, the issue was introduced in versions 5.12.0 and 10.3.0.

Atlassian’s engineers confirmed that exploitation could allow an attacker with network access to the Jira web interface to write arbitrary data to any path writable by the Jira JVM process, enabling a range of post-exploitation scenarios from tampering with configurations to achieving remote code execution depending on system setup.

The issue impacts multiple Atlassian product lines under active enterprise deployment:

Product	Affected Versions	Fixed Versions
Jira Software Data Center & Server	9.12.0–11.0.0	9.12.28+, 10.3.12+, 11.1.0+
Jira Service Management Data Center & Server	5.12.0–10.3.0	5.12.29+, 10.3.12+

Atlassian advises immediate upgrades to one of the listed patched versions or later.

“Atlassian recommends that Jira Software Data Center and Server customers upgrade to the latest version; if you are unable to do so, upgrade your instance to one of the specified supported fixed versions,” the advisory reads

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply