lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Atlassian Jira

AtlassianCI/CD6 credentials

Credentials6 documented
01

Database Password

atlassian-jira / database-password

Jira Server and Data Center store the database connection details in dbconfig.xml in the Jira home directory. The file includes the database username and password used by Jira to connect to its relational database.

user definedsecretusername/password

Looks like

pattern
pattern

dbconfig.xml database credential pair; the username and password elements are arbitrary operator-supplied values

<username>[^<]+</username>\s*<password>[^<]*</password>
pattern

database password element in dbconfig.xml; Jira can also be configured to secure the database password rather than leaving the raw value directly readable

<password>[^<]*</password>

Location

config file
$JIRA_HOME/dbconfig.xml

Jira home root; created by setup wizard or database configuration tool

build artifact

Jira home backups, migration bundles, VM snapshots, support zips

Notes

dbconfig.xml is required to reconnect Jira to its database during server migrations and upgrades, so it is frequently copied into backup sets and operational runbooks. Access to the database account is often enough to read issue data, user directories, plugin state, and stored integration metadata outside the Jira application layer.

02

Local User / Administrator Password

atlassian-jira / local-user-admin-password

Jira local users, including the administrator created during setup, authenticate with passwords stored in Jira's configured user directory. For the internal directory, the password hash is stored in Jira's database rather than in dbconfig.xml.

user definedsecretusername/password

Looks like

pattern
pattern

Jira internal-directory password material in the database; the exact hash value has no Jira-specific textual prefix and is identified by table and column context

cwd_user.*credential
pattern

raw Basic-auth username:password form before Base64 encoding; context is required because the password itself is arbitrary

[^\\s:@]+@[^\\s:@]+:[^\\s:]+

Location

database

Jira internal user directory tables, including cwd_user credential data

public interface
/login.jsp

Jira web login for local users and administrators

public interface
/rest/api/*

REST API Basic authentication in Server/Data Center deployments

source code

legacy scripts and integrations that still embed username/password auth

Notes

There is no universal shipped Jira administrator password. The initial administrator is created by the setup flow or by an operator, and later users may be local, LDAP-backed, SSO-backed, or externally managed. Include literal passwords only for product-specific defaults or CVE-backed hardcoded accounts, not for Jira as a generic product.

03

Data Center Personal Access Token

atlassian-jira / data-center-personal-access-token

Jira Data Center and Server support personal access tokens for scripts and external integrations. Atlassian documents PATs as bearer tokens passed in the Authorization header for REST API calls.

user definedsecrettoken

Looks like

pattern
pattern

no documented Jira-specific token prefix; identify Data Center PATs by bearer-token use against Jira or Confluence REST endpoints

Authorization:\s*Bearer\s+[^\s]+

Location

environment
JIRA_TOKEN, JIRA_PAT, ATLASSIAN_TOKEN
source code

automation scripts, curl commands, CI jobs, integration config

logs

REST client debug logs when Authorization headers are printed

secret store

CI/CD secret stores and deployment-platform variables

Notes

PATs are a safer replacement for embedding a user password in scripts, but they are still bearer credentials. The token inherits the creating user's Jira permissions and remains usable until expiration or revocation.

04

Atlassian Cloud API Token

atlassian-jira / cloud-api-token

Jira Cloud REST clients authenticate with an Atlassian account email address and API token using HTTP Basic authentication. Atlassian states that password authentication for Jira Cloud REST APIs is deprecated.

user definedsecrettoken

Looks like

pattern
pattern

Base64-encoded email-address:api-token pair for Atlassian Cloud; decode context is required because the token itself has no fixed Jira-specific prefix

Authorization:\s*Basic\s+[A-Za-z0-9+/=]+
pattern

raw Basic-auth username/token form used by curl --user before it is Base64 encoded; the left side is the Atlassian account email

[^\s:@]+@[^\s:@]+:[^\s:]+

Location

source code

curl commands, scripts, Terraform providers, custom integrations

environment
ATLASSIAN_EMAIL, ATLASSIAN_API_TOKEN, JIRA_API_TOKEN
config file

local REST client configuration and integration settings

secret store

CI/CD variables and cloud secret managers used by integrations

Notes

This token belongs to the Atlassian account, not only to one Jira site. Its practical blast radius is determined by the account's access to Jira Cloud, Confluence Cloud, and other Atlassian Cloud applications that accept the same account token.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.