CVE-2025-22173 is an authorization vulnerability identified in Atlassian Jira Align, a widely used agile project management tool. The issue arises from improper authorization checks that allow users with low-level privileges to access endpoints that should be restricted. Specifically, these users can retrieve sensitive sprint-related data, such as sprint timelines, task statuses, or resource assignments, without having the necessary permissions. The vulnerability affects Jira Align versions 11.14.0 and above, including 11.14.1, 11.15.0, 11.15.1, and 11.16.0. The CVSS 4.0 base score is 5.3, reflecting a medium severity level. The vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and low impact on confidentiality (VC:L), with no impact on integrity or availability. No known exploits have been reported in the wild, suggesting limited active exploitation. The root cause is a failure to enforce proper authorization controls (CWE-285) on certain API endpoints or web interfaces, allowing unauthorized data disclosure. This vulnerability could lead to leakage of sensitive project management information, which may aid attackers in reconnaissance or internal threat actors in gaining insights beyond their clearance level. Given Jira Align's role in coordinating agile workflows, unauthorized access to sprint data could expose strategic planning details or resource allocations.

For European organizations, the impact primarily concerns confidentiality breaches of sensitive project management data. Exposure of sprint data can reveal internal timelines, resource assignments, and project priorities, which could be leveraged by competitors or threat actors for corporate espionage or targeted attacks. While the vulnerability does not affect data integrity or system availability, the unauthorized disclosure of sensitive information may undermine trust in project management processes and compliance with data protection regulations such as GDPR if personal data or sensitive business information is indirectly exposed. Organizations relying heavily on Jira Align for agile development, especially in sectors like finance, telecommunications, and government, may face increased risk. The medium severity score reflects that while the impact is limited to information disclosure, the ease of exploitation and network accessibility make it a notable risk. The absence of known exploits reduces immediate threat but does not eliminate the risk of future exploitation.

1. Conduct a thorough access control audit within Jira Align to ensure that user roles and permissions are correctly configured and enforced, particularly for low-privilege users. 2. Implement strict role-based access controls (RBAC) and regularly review user privileges to minimize unnecessary access. 3. Monitor Jira Align logs for unusual access patterns or attempts to access restricted endpoints, enabling early detection of exploitation attempts. 4. Apply the latest patches and updates from Atlassian as soon as they become available, even though no patch links are currently provided, stay alert for vendor advisories. 5. Consider network segmentation and limiting access to Jira Align interfaces to trusted internal networks or VPNs to reduce exposure. 6. Educate users and administrators on the importance of least privilege principles and secure configuration management. 7. If feasible, implement additional application-layer security controls such as Web Application Firewalls (WAFs) to detect and block unauthorized API calls. 8. Engage in proactive threat hunting and vulnerability scanning focused on project management tools to identify similar issues.