SB2026061993 - Multiple vulnerabilities in Bitbucket Data Center

Description

This security bulletin contains information about 6 vulnerabilities.

1) Improper access control (CVE-ID: CVE-2026-42038)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in shouldBypassProxy() when processing URLs against no_proxy rules. A remote attacker can supply a URL using an IP alias instead of the hostname to disclose sensitive information.

In server-side environments, requests intended to bypass proxies can instead be routed through an attacker-controlled proxy. This can affect access to internal or cloud metadata services.

2) Resource exhaustion (CVE-ID: CVE-2026-45149)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper resource consumption in the numeric range expansion logic when processing a string containing a single large numeric range. A remote attacker can supply a specially crafted expansion string to cause a denial of service.

User interaction is required to process the crafted expansion input.

3) Resource exhaustion (CVE-ID: CVE-2026-41284)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in WebDAV LOCK and PROPFIND handling when processing request bodies. A remote attacker can send a large request body to cause a denial of service.

The affected requests are available to unauthenticated users.

4) Prototype pollution (CVE-ID: CVE-2026-42033)

CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to tamper with JSON responses and disclose sensitive information.

The vulnerability exists due to prototype pollution in parseReviver handling in the transformResponse functionality when processing JSON responses in a process where Object.prototype has been polluted by a co-dependency. A remote attacker can pollute Object.prototype.parseReviver to tamper with JSON responses and disclose sensitive information.

This issue affects the parseReviver gadget and requires a separate source of prototype pollution in the same process.

5) HTTP response splitting (CVE-ID: CVE-2026-42035)

CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to inject arbitrary HTTP headers into outgoing requests.

The vulnerability exists due to improper neutralization of CRLF sequences in HTTP headers in lib/adapters/http.js when processing data payloads in HTTP requests after a polluted object prototype causes plain objects to be treated as FormData instances. A remote attacker can pollute Object.prototype so that an attacker-controlled getHeaders() function is invoked to inject arbitrary HTTP headers into outgoing requests.

Exploitation requires a prototype pollution primitive somewhere in the application's dependency chain and the application must use Axios to send requests with a data payload such as POST, PUT, or PATCH.

6) Improper authorization (CVE-ID: CVE-2026-24734)

CWE-ID: CWE-285 - Improper Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to incomplete OCSP verification checks. When using an OCSP responder, Tomcat's FFM integration with OpenSSL does not complete verification or freshness checks on the OCSP response. A remote attacker can bypass certificate revocation and gain unauthorized access to the application. 

Remediation

Install update from vendor's website.

References

• https://jira.atlassian.com/browse/BSERV-20414
• https://jira.atlassian.com/browse/BSERV-20430
• https://jira.atlassian.com/browse/BSERV-20434
• https://jira.atlassian.com/browse/BSERV-20436
• https://jira.atlassian.com/browse/BSERV-20437
• https://jira.atlassian.com/browse/BSERV-20444