Atlassian Jira
AtlassianCI/CD6 credentials
Database Password
atlassian-jira / database-password
Jira Server and Data Center store the database connection details in dbconfig.xml in the Jira home directory. The file includes the database username and password used by Jira to connect to its relational database.
Looks like
pattern<username>[^<]+</username>\s*<password>[^<]*</password><password>[^<]*</password>Location
$JIRA_HOME/dbconfig.xmlJira home root; created by setup wizard or database configuration tool
Jira home backups, migration bundles, VM snapshots, support zips
Notes
dbconfig.xml is required to reconnect Jira to its database during server migrations and upgrades, so it is frequently copied into backup sets and operational runbooks. Access to the database account is often enough to read issue data, user directories, plugin state, and stored integration metadata outside the Jira application layer.
Local User / Administrator Password
atlassian-jira / local-user-admin-password
Jira local users, including the administrator created during setup, authenticate with passwords stored in Jira's configured user directory. For the internal directory, the password hash is stored in Jira's database rather than in dbconfig.xml.
Looks like
patterncwd_user.*credential[^\\s:@]+@[^\\s:@]+:[^\\s:]+Location
Jira internal user directory tables, including cwd_user credential data
/login.jspJira web login for local users and administrators
/rest/api/*REST API Basic authentication in Server/Data Center deployments
legacy scripts and integrations that still embed username/password auth
Notes
There is no universal shipped Jira administrator password. The initial administrator is created by the setup flow or by an operator, and later users may be local, LDAP-backed, SSO-backed, or externally managed. Include literal passwords only for product-specific defaults or CVE-backed hardcoded accounts, not for Jira as a generic product.
Data Center Personal Access Token
atlassian-jira / data-center-personal-access-token
Jira Data Center and Server support personal access tokens for scripts and external integrations. Atlassian documents PATs as bearer tokens passed in the Authorization header for REST API calls.
Looks like
patternAuthorization:\s*Bearer\s+[^\s]+Location
JIRA_TOKEN, JIRA_PAT, ATLASSIAN_TOKENautomation scripts, curl commands, CI jobs, integration config
REST client debug logs when Authorization headers are printed
CI/CD secret stores and deployment-platform variables
Notes
PATs are a safer replacement for embedding a user password in scripts, but they are still bearer credentials. The token inherits the creating user's Jira permissions and remains usable until expiration or revocation.
Atlassian Cloud API Token
atlassian-jira / cloud-api-token
Jira Cloud REST clients authenticate with an Atlassian account email address and API token using HTTP Basic authentication. Atlassian states that password authentication for Jira Cloud REST APIs is deprecated.
Looks like
patternAuthorization:\s*Basic\s+[A-Za-z0-9+/=]+[^\s:@]+@[^\s:@]+:[^\s:]+Location
curl commands, scripts, Terraform providers, custom integrations
ATLASSIAN_EMAIL, ATLASSIAN_API_TOKEN, JIRA_API_TOKENlocal REST client configuration and integration settings
CI/CD variables and cloud secret managers used by integrations
Notes
This token belongs to the Atlassian account, not only to one Jira site. Its practical blast radius is determined by the account's access to Jira Cloud, Confluence Cloud, and other Atlassian Cloud applications that accept the same account token.
Application Link Basic Auth Credential
atlassian-jira / application-link-basic-auth
Jira application links can use Basic HTTP authentication for connecting Atlassian applications and integrations. The configured username and password are integration credentials, not end-user session passwords.
Looks like
patternAuthorization:\s*Basic\s+[A-Za-z0-9+/=]+Location
Jira application-link and plugin tables that persist integration settings
exported application-link or integration configuration
HTTP client debug logs and reverse-proxy logs if headers are captured
Notes
Basic-auth application links are legacy but still appear in older Atlassian estates. Treat the stored credential as whatever account the link was configured to use, which is often a long-lived integration or service account with broad project access.
Application Link OAuth Private Key
atlassian-jira / application-link-oauth-private-key
Jira application links can use OAuth for authenticated communication between Atlassian applications. OAuth configurations rely on key material or shared application-link secrets that should be treated as integration credentials.
Looks like
pattern-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----Location
Jira application-link and plugin tables for OAuth configuration
exported or scripted application-link configuration
database dumps and Jira migration backups
Notes
The credential is scoped to the linked application trust relationship, not to an individual user password. Exposure can let an attacker forge or impersonate integration traffic depending on the configured OAuth mode and permissions of the linked application.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.