SB2026061992 - Multiple vulnerabilities in Bamboo Data Center
Published: June 19, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 14 vulnerabilities.
1) Improper Handling of Case Sensitivity (CVE-ID: CVE-2026-43513)
CWE-ID: CWE-178 - Improper Handling of Case Sensitivity
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to weaken brute-force protection against a user's password.
The vulnerability exists due to improper input handling in LockOutRealm when processing case-insensitive user names. A remote attacker can vary the case of a user name during authentication attempts to weaken brute-force protection against a user's password.
This affects Realms where user names are treated as case insensitive.
2) Resource exhaustion (CVE-ID: CVE-2026-42587)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in HttpContentDecompressor and DelegatingDecompressorFrameListener when processing compressed HTTP request bodies with Content-Encoding set to br, zstd, or snappy. A remote attacker can send a specially crafted compressed payload to cause a denial of service.
The configured maxAllocation limit is enforced for gzip and deflate, but is silently ignored for brotli, zstd, and snappy. The issue affects both HTTP/1.1 and HTTP/2 handling.
3) Improper access control (CVE-ID: CVE-2026-42038)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in shouldBypassProxy() when processing URLs against no_proxy rules. A remote attacker can supply a URL using an IP alias instead of the hostname to disclose sensitive information.
In server-side environments, requests intended to bypass proxies can instead be routed through an attacker-controlled proxy. This can affect access to internal or cloud metadata services.
4) HTTP response splitting (CVE-ID: CVE-2026-42035)
CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject arbitrary HTTP headers into outgoing requests.
The vulnerability exists due to improper neutralization of CRLF sequences in HTTP headers in lib/adapters/http.js when processing data payloads in HTTP requests after a polluted object prototype causes plain objects to be treated as FormData instances. A remote attacker can pollute Object.prototype so that an attacker-controlled getHeaders() function is invoked to inject arbitrary HTTP headers into outgoing requests.
Exploitation requires a prototype pollution primitive somewhere in the application's dependency chain and the application must use Axios to send requests with a data payload such as POST, PUT, or PATCH.
5) Prototype pollution (CVE-ID: CVE-2026-42033)
CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to tamper with JSON responses and disclose sensitive information.
The vulnerability exists due to prototype pollution in parseReviver handling in the transformResponse functionality when processing JSON responses in a process where Object.prototype has been polluted by a co-dependency. A remote attacker can pollute Object.prototype.parseReviver to tamper with JSON responses and disclose sensitive information.
This issue affects the parseReviver gadget and requires a separate source of prototype pollution in the same process.
6) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-42585)
CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject arbitrary HTTP requests.
The vulnerability exists due to inconsistent interpretation of HTTP requests in HttpRequestDecoder when parsing malformed Transfer-Encoding headers. A remote attacker can send a specially crafted HTTP request with a malformed "Transfer-Encoding: chunked, identity" header to inject arbitrary HTTP requests.
Exploitation is possible in deployments where a proxy forwards such malformed requests to Netty instead of rejecting them.
7) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-42583)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in io.netty.handler.codec.compression.Lz4FrameDecoder#decode when processing crafted LZ4 frames. A remote attacker can send a specially crafted compressed frame header and payload to cause a denial of service.
On the compressed path, header fields are trusted for sizing, allowing a small request to force allocation of a much larger ByteBuf.
8) Resource exhaustion (CVE-ID: CVE-2026-41284)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in WebDAV LOCK and PROPFIND handling when processing request bodies. A remote attacker can send a large request body to cause a denial of service.
The affected requests are available to unauthenticated users.
9) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-44492)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to the "shouldBypassProxy" does not normalise IPv4-mapped IPv6 addresses. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
10) Inefficient regular expression complexity (CVE-ID: CVE-2026-44496)
CWE-ID: CWE-1333 - Inefficient Regular Expression Complexity
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to inefficient regular expression complexity in lib/helpers/cookies.js read(name) when processing an attacker-controlled XSRF cookie name while reading document.cookie. A remote attacker can supply a crafted cookie name containing regex metacharacters to cause a denial of service.
The issue affects standard browser environments and can freeze the affected browser tab while axios prepares a request. Applications are affected only when attacker-controlled data reaches the XSRF cookie name configuration or an unsafe direct call to the internal cookie helper.
11) Information disclosure (CVE-ID: CVE-2026-44486)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper handling of sensitive headers in the Node.js HTTP adapter in lib/adapters/http.js when following redirects after proxy settings are re-evaluated from an authenticated proxy to a direct connection. A remote attacker can cause the application to follow a crafted redirect so that proxy credentials are sent to the redirect target to disclose sensitive information.
Only the Node.js HTTP adapter is affected, and exploitation requires automatic redirects to be enabled with an authenticated proxy configuration.
12) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-44488)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in the fetch adapter when processing requests and responses with configured finite size limits. A remote attacker can supply an oversized response, a large data: URL, or an oversized request body to cause a denial of service.
The issue affects server-side usage where applications rely on maxContentLength or maxBodyLength being enforced by the fetch adapter.
13) Insertion of Sensitive Information Into Sent Data (CVE-ID: CVE-2026-44487)
CWE-ID: CWE-201 - Insertion of Sensitive Information Into Sent Data
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to insertion of sensitive information into sent data in the Node.js HTTP adapter when following an HTTP-to-HTTPS redirect from a proxied request to a direct request. A remote attacker can trigger a crafted redirect flow to disclose sensitive information.
Only Node.js requests using the HTTP adapter are affected, and exploitation requires redirects to be followed and proxy credentials to be configured for the initial HTTP request but not for the redirected HTTPS request.
14) Code Injection (CVE-ID: CVE-2026-41044)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper input validation and code injection in the admin web console and DestinationView MBean when processing a malicious broker name and triggering VM transport creation. A remote user can construct a malicious broker name and send a message through the DestinationView MBean to execute arbitrary code.
Exploitation requires access to the admin web console and the DestinationView MBean exposed by Jolokia.
Remediation
Install update from vendor's website.
References
- https://jira.atlassian.com/browse/BAM-26407
- https://jira.atlassian.com/browse/BAM-26410
- https://jira.atlassian.com/browse/BAM-26393
- https://jira.atlassian.com/browse/BAM-26416
- https://jira.atlassian.com/browse/BAM-26414
- https://jira.atlassian.com/browse/BAM-26415
- https://jira.atlassian.com/browse/BAM-26419
- https://jira.atlassian.com/browse/BAM-26411
- https://jira.atlassian.com/browse/BAM-26430
- https://jira.atlassian.com/browse/BAM-26428
- https://jira.atlassian.com/browse/BAM-26425
- https://jira.atlassian.com/browse/BAM-26426
- https://jira.atlassian.com/browse/BAM-26427
- https://jira.atlassian.com/browse/BAM-26431