CVE-2025-22167: 
JIRA vulnerability analysis and mitigation

A high-severity Path Traversal (Arbitrary Write) vulnerability (CVE-2025-22167) was discovered in Jira Software Data Center and Server, as well as Jira Service Management Data Center and Server. The vulnerability was introduced in versions 9.12.0 and 10.3.0, and remained present through version 11.0.0. With a CVSS score of 8.7, this vulnerability was internally discovered and reported by Atlassian (Atlassian Bulletin, NVD).

The vulnerability is classified as a Path Traversal attack with arbitrary write capabilities (CWE-22). It allows an authenticated attacker with network access to modify any filesystem path that is writable by the Jira JVM process. The vulnerability has a CVSS v4.0 vector string of CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, indicating network accessibility, low attack complexity, and high impact on confidentiality, integrity, and availability (NVD, Security Online).

The vulnerability enables attackers with authenticated access to perform arbitrary file writes on any location accessible to the Jira JVM process. This could potentially lead to data corruption, system compromise, or even remote code execution if chained with other exploits. The high severity rating reflects the significant potential impact on system integrity and security (GBHackers).

Atlassian recommends immediate upgrade to the following fixed versions: For Jira Software Data Center and Server 9.12: upgrade to version 9.12.28 or later; For version 10.3: upgrade to 10.3.12 or later; For version 11.0: upgrade to 11.1.0 or later. Similar version upgrades are recommended for Jira Service Management Data Center and Server installations (Atlassian Bulletin).