来源

关联漏洞

描述

CVE-2025-22167 scanner script

介绍

# README — CVE-2025-22167 (Atlassian Jira)

> **For defensive use only.**  
> This README describes CVE-2025-22167 (a high‑severity path‑traversal / arbitrary‑file‑write vulnerability affecting Atlassian Jira). It explains what the issue is, how it happens at a high level, safe detection guidance, mitigation and remediation steps, and recommended monitoring/forensics. Do **NOT** use any exploitation techniques against systems you do not own or do not have explicit written authorization to test.

---

## Summary

- **CVE:** CVE-2025-22167  
- **Type:** Path Traversal → Arbitrary File Write  
- **Impact:** Allows modification (write) of any filesystem path writable by the Jira JVM process; can lead to data corruption, webshell implantation, or RCE when chained with other issues.   
- **Severity:** High — CVSS v3.1 score reported as **8.7**.   
- **Affected products / versions:** Jira Software Data Center & Server (introduced in 9.12.0 and 10.3.0; present through 11.0.0 in the reported advisory), and related Jira Service Management Data Center & Server lines per Atlassian bulletin. Check the official Atlassian bulletin for exact fixed version numbers. 

---

## How the vulnerability works (high-level)

A component of Jira failed to properly validate or canonicalize input that is used to derive filesystem paths. By supplying specially crafted path-like input that traverses directories (e.g., sequences like `../` or their URL‑encoded equivalents), an attacker can cause the application to write a file to a path outside the intended storage area. Because the write operation runs with the privileges of the Jira JVM process, the attacker can modify any location writable by that process — potentially overwriting configuration, planting a webshell, or otherwise tampering with host files. 

---

## Safe detection (Non‑intrusive / recommended)

**Important:** Do *not* perform exploitative writes on production systems. Detection should be non‑intrusive and inference‑based unless you have explicit authorization and are working in an isolated test lab.

1. **Version identification (safe):**
   - Query Jira server info endpoints: `/rest/api/2/serverInfo`, `/rest/api/3/serverInfo`, or `/rest/api/latest/serverInfo` — these commonly return `version` in JSON. If the reported version falls into the affected range, treat it as *potentially vulnerable*. 
2. **Header / HTML fingerprinting (safe fallback):**
   - If serverInfo is inaccessible, attempt to detect version strings in HTTP headers or HTML page titles/body. If no version can be determined, classify target as *unknown* and recommend further manual review.
3. **Log inspection (safe):**
   - Look for anomalous HTTP requests with path‑traversal payloads in access logs, and errors/exceptions in application logs that reference file I/O failures or unexpected paths.
4. **Use a non‑exploit scanner:**  
   - Use the provided safe scanner (or other defensive scanners) that only collects version info and flags potentially affected hosts. Do not include any module that attempts to write files or verify writes.

References describing the vulnerability and detection: Atlassian Security Bulletin and NVD entry. 

---

## Immediate mitigation (short term)

If you cannot patch immediately, apply one or more of the following temporary mitigations:

- **Restrict access to Jira** — limit network exposure (place behind VPN, restrict admin interfaces to trusted IPs, or firewall/ACL rules).   
- **Use WAF rules** to block path‑traversal patterns (e.g., `../`, `..%2f`, suspicious `..` encodings) at the perimeter. Test rules to avoid blocking legitimate traffic. Example ModSecurity rule (illustrative):  
  ```apache
  SecRule REQUEST_URI|ARGS "@rx (\.\./|\.\.%2f|%2e%2e\/)" \
    "id:100001,phase:2,deny,status:403,msg:'Possible path traversal attempt',log,logdata:'%{MATCHED_VAR}'"

文件快照

 [4.0K]  /data/pocs/82bd712666dfee7e693aa40a6ffc51acfc4959a4
├── [8.0K]  jira_cve2025_22167_scanner.py
└── [3.8K]  README.md

0 directories, 2 files

备注