SB2026060237 - Multiple vulnerabilities in Jira Service Management Data Center
Published: June 2, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 vulnerabilities.
1) Path traversal (CVE-ID: CVE-2026-31802)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear
The vulnerability allows a local user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A local user can trick tar (npm) into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction.
2) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2026-25639)
CWE-ID: CWE-754 - Improper Check for Unusual or Exceptional Conditions
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper error handling within proto Key in mergeConfig. A remote attacker can send specially crafted data to the application and perform a denial of service (DoS) attack.
3) Buffer overflow (CVE-ID: CVE-2026-29062)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a boundary error in UTF8DataInputJsonParser when parsing deeply nested JSON files. A remote attacker can pass a specially JSON data to the application and perform a denial of service attack.
Note, the vulnerability exists due to the fix for #VU112106 (CVE-2025-52999) has not been properly applied for the 3.x branch.
4) Link following (CVE-ID: CVE-2026-29786)
CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Amber
The vulnerability allows a remote attacker to overwrite arbitrary files on the system.
The vulnerability exists due to insecure handling of hard links inside archives. A remote attacker can supply a specially crafted archive to the application that can overwrite arbitrary files on the system with privileges of the process performing data extraction.
5) Cross-site scripting (CVE-ID: CVE-2026-22029)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
6) Input validation error (CVE-ID: CVE-2026-33750)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in sequence generation in expand() when parsing a brace pattern with a zero step value. A remote attacker can supply a specially crafted pattern to cause a denial of service.
User interaction is required to process the crafted input.
7) Path traversal (CVE-ID: CVE-2026-26960)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences within the tar.extract() function when handling hardlinks inside archives. A remote user can pass a specially crafted archive to the application and read or write files to arbitrary locations on the system.
8) Protection Mechanism Failure (CVE-ID: CVE-2026-22732)
CWE-ID: CWE-693 - Protection Mechanism Failure
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper security header handling in HTTP response header writing for servlet applications when using lazy writing of HTTP headers. A remote attacker can trigger application responses where the configured security headers are not written to disclose sensitive information.
This issue affects servlet applications that specify HTTP response headers using Spring Security with lazy header writing enabled.
9) Improper Encoding or Escaping of Output (CVE-ID: CVE-2026-34483)
CWE-ID: CWE-116 - Improper Encoding or Escaping of Output
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject arbitrary JSON into the JSON access log.
The vulnerability exists due to incomplete escaping in the JSON access log when handling requests with non-default Connector attributes relaxedPathChars and/or relaxedQueryChars. A remote attacker can send a specially crafted request to inject arbitrary JSON into the JSON access log.
Only configurations using non-default values for relaxedPathChars and/or relaxedQueryChars are affected.
Remediation
Install update from vendor's website.
References
- https://jira.atlassian.com/browse/JSDSERVER-16573
- https://jira.atlassian.com/browse/JSDSERVER-16571
- https://jira.atlassian.com/browse/JSDSERVER-16576
- https://jira.atlassian.com/browse/JSDSERVER-16575
- https://jira.atlassian.com/browse/JSDSERVER-16577
- https://jira.atlassian.com/browse/JSDSERVER-16574
- https://jira.atlassian.com/browse/JSDSERVER-16578
- https://jira.atlassian.com/browse/JSDSERVER-16588
- https://jira.atlassian.com/browse/JSDSERVER-16587