CVE-2025-22174 – Jira Align has an authorization vulnerability w... (How to Fix)

Q: What is the severity of CVE-2025-22174?

CVE-2025-22174 has a CVSS score of 4.3 (MEDIUM). Jira Align has an authorization vulnerability where low-privilege users can access endpoints they shouldn't, potentially viewing sensitive information like portfolio rooms. This affects all Jira Align instances with vulnerable versions. The impact is limited information disclosure rather than system compromise.

📋 TL;DR

Jira Align has an authorization vulnerability where low-privilege users can access endpoints they shouldn't, potentially viewing sensitive information like portfolio rooms. This affects all Jira Align instances with vulnerable versions. The impact is limited information disclosure rather than system compromise.

💻 Affected Systems

Products:

Jira Align

Versions: Specific versions not detailed in CVE; check Atlassian advisory for affected versions

Operating Systems: All platforms running Jira Align

Default Config Vulnerable: ⚠️ Yes

Notes: Affects default configurations where proper authorization checks are missing on certain endpoints

📦 What is this software?

Jira Align by Atlassian

View all CVEs affecting Jira Align →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Low-privilege users access multiple sensitive endpoints, potentially gathering enough information for social engineering or further attacks.

🟠

Likely Case

Low-privilege users view limited sensitive information like portfolio room names or metadata without full access to content.

🟢

If Mitigated

Proper access controls prevent unauthorized endpoint access, limiting exposure to intended information only.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated low-privilege access and knowledge of specific endpoints

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Atlassian advisory for specific fixed version

Vendor Advisory: https://jira.atlassian.com/browse/JIRAALIGN-8643

Restart Required: No

Instructions:

1. Check Atlassian advisory for affected versions. 2. Update Jira Align to patched version. 3. Verify authorization controls are functioning.

🔧 Temporary Workarounds

Temporary access restriction

all

Implement network-level restrictions to limit access to Jira Align endpoints

🧯 If You Can't Patch

Implement strict network segmentation to limit Jira Align access to authorized users only
Enhance monitoring for unusual access patterns to sensitive endpoints

🔍 How to Verify

Check if Vulnerable:

Check Jira Align version against Atlassian advisory; test low-privilege user access to portfolio rooms

Check Version:

Check Jira Align administration panel or consult documentation for version command

Verify Fix Applied:

After patching, verify low-privilege users cannot access portfolio rooms or other restricted endpoints

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to portfolio rooms or sensitive endpoints by low-privilege users

Network Indicators:

Unusual HTTP requests to restricted endpoints from low-privilege accounts

SIEM Query:

source="jira-align" AND (event_type="access_denied" OR endpoint="portfolio") AND user_role="low_privilege"

📊 Metadata

CVE ID: CVE-2025-22174

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-285

EPSS Score: 0.05% exploit probability (14th percentile)

Published: October 22, 2025

Last Updated: October 24, 2025

🔗 References

https://jira.atlassian.com/browse/JIRAALIGN-8643 Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-22174, you might also want to check these: