SB2026061999 - Multiple vulnerabilities in Jira Service Management Data Center and Jira Service Management Server
Published: June 19, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 27 vulnerabilities.
1) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2026-34487)
CWE-ID: CWE-532 - Information Exposure Through Log Files
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to insertion of sensitive information into log output in the cloud membership for clustering component when writing log messages. A remote attacker can trigger log entries that expose the Kubernetes bearer token to disclose sensitive information.
2) Inefficient regular expression complexity (CVE-ID: CVE-2026-27904)
CWE-ID: CWE-1333 - Inefficient Regular Expression Complexity
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
3) Protection Mechanism Failure (CVE-ID: CVE-2026-34486)
CWE-ID: CWE-693 - Protection Mechanism Failure
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass the EncryptInterceptor.
The vulnerability exists due to an implementation error in the EncryptInterceptor when processing traffic protected by the fix for #VU125739 (CVE-2026-29146). A remote attacker can exploit the flawed handling to bypass the EncryptInterceptor.
4) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2026-29146)
CWE-ID: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to decrypt protected communications.
The vulnerability exists due to the use of a padding-oracle-prone cryptographic mode in EncryptInterceptor when processing encrypted traffic with the default CBC configuration. A remote attacker can perform a padding oracle attack to decrypt protected communications.
5) Incorrect regular expression (CVE-ID: CVE-2021-3803)
CWE-ID: CWE-185 - Incorrect Regular Expression
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
6) Inefficient Algorithmic Complexity (CVE-ID: CVE-2026-27903)
CWE-ID: CWE-407 - Inefficient Algorithmic Complexity
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to inefficient algorithmic complexity in matchOne() when processing glob patterns containing multiple non-adjacent GLOBSTAR segments. A remote attacker can supply a specially crafted glob pattern to cause a denial of service.
The issue is triggered on non-matching input and can stall the Node.js event loop while the recursive call tree is fully explored.
7) Improper access control (CVE-ID: CVE-2026-43515)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass security constraints.
The vulnerability exists due to improper access control in HTTP method constraint processing when evaluating multiple security constraints for the same extension pattern. A remote attacker can send a request using an improperly constrained HTTP method to bypass security constraints.
8) Resource exhaustion (CVE-ID: CVE-2026-42587)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in HttpContentDecompressor and DelegatingDecompressorFrameListener when processing compressed HTTP request bodies with Content-Encoding set to br, zstd, or snappy. A remote attacker can send a specially crafted compressed payload to cause a denial of service.
The configured maxAllocation limit is enforced for gzip and deflate, but is silently ignored for brotli, zstd, and snappy. The issue affects both HTTP/1.1 and HTTP/2 handling.
9) Improper Authentication (CVE-ID: CVE-2026-43512)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to authenticate as an unknown user.
The vulnerability exists due to improper authentication in the DIGEST authenticator when processing authentication for users not known to the configured Realm. A remote attacker can submit the password "null" for an unknown user to authenticate as an unknown user.
This occurs only when DIGEST authentication is configured.
10) Resource exhaustion (CVE-ID: CVE-2026-41284)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in WebDAV LOCK and PROPFIND handling when processing request bodies. A remote attacker can send a large request body to cause a denial of service.
The affected requests are available to unauthenticated users.
11) Permissive List of Allowed Inputs (CVE-ID: CVE-2026-42043)
CWE-ID: CWE-183 - Permissive List of Allowed Inputs
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass proxy restrictions and disclose sensitive information.
The vulnerability exists due to permissive list of allowed inputs in lib/helpers/shouldBypassProxy.js when processing Axios requests to loopback addresses in the 127.0.0.0/8 range. A remote attacker can influence the target URL to bypass proxy restrictions and disclose sensitive information.
Exploitation requires the application to use proxy environment variables and rely on NO_PROXY rules to protect loopback services.
12) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2025-62718)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to conduct server-side request forgery and disclose sensitive information.
The vulnerability exists due to improper hostname normalization in NO_PROXY rule evaluation when processing attacker-controlled request URLs. A remote attacker can supply a crafted URL using forms such as localhost. or [::1] to conduct server-side request forgery and disclose sensitive information.
Applications that rely on NO_PROXY entries for loopback or internal services are affected.
13) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-42584)
CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disrupt HTTP parsing integrity and availability on the connection.
The vulnerability exists due to inconsistent interpretation of HTTP responses in HttpClientCodec when processing pipelined HTTP/1.1 responses that include a 1xx response before a GET response body and a subsequent HEAD response. A remote attacker can send a specially crafted sequence of HTTP responses to disrupt HTTP parsing integrity and availability on the connection.
Exploitation requires HTTP/1.1 pipelining, a HEAD request in the pipeline, and a server response sequence that includes a 1xx response.
14) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-42585)
CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject arbitrary HTTP requests.
The vulnerability exists due to inconsistent interpretation of HTTP requests in HttpRequestDecoder when parsing malformed Transfer-Encoding headers. A remote attacker can send a specially crafted HTTP request with a malformed "Transfer-Encoding: chunked, identity" header to inject arbitrary HTTP requests.
Exploitation is possible in deployments where a proxy forwards such malformed requests to Netty instead of rejecting them.
15) Improper Handling of Case Sensitivity (CVE-ID: CVE-2026-43513)
CWE-ID: CWE-178 - Improper Handling of Case Sensitivity
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to weaken brute-force protection against a user's password.
The vulnerability exists due to improper input handling in LockOutRealm when processing case-insensitive user names. A remote attacker can vary the case of a user name during authentication attempts to weaken brute-force protection against a user's password.
This affects Realms where user names are treated as case insensitive.
16) HTTP response splitting (CVE-ID: CVE-2026-42035)
CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject arbitrary HTTP headers into outgoing requests.
The vulnerability exists due to improper neutralization of CRLF sequences in HTTP headers in lib/adapters/http.js when processing data payloads in HTTP requests after a polluted object prototype causes plain objects to be treated as FormData instances. A remote attacker can pollute Object.prototype so that an attacker-controlled getHeaders() function is invoked to inject arbitrary HTTP headers into outgoing requests.
Exploitation requires a prototype pollution primitive somewhere in the application's dependency chain and the application must use Axios to send requests with a data payload such as POST, PUT, or PATCH.
17) Prototype pollution (CVE-ID: CVE-2026-42033)
CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to tamper with JSON responses and disclose sensitive information.
The vulnerability exists due to prototype pollution in parseReviver handling in the transformResponse functionality when processing JSON responses in a process where Object.prototype has been polluted by a co-dependency. A remote attacker can pollute Object.prototype.parseReviver to tamper with JSON responses and disclose sensitive information.
This issue affects the parseReviver gadget and requires a separate source of prototype pollution in the same process.
18) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-42583)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in io.netty.handler.codec.compression.Lz4FrameDecoder#decode when processing crafted LZ4 frames. A remote attacker can send a specially crafted compressed frame header and payload to cause a denial of service.
On the compressed path, header fields are trusted for sizing, allowing a small request to force allocation of a much larger ByteBuf.
19) Improper access control (CVE-ID: CVE-2026-42038)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in shouldBypassProxy() when processing URLs against no_proxy rules. A remote attacker can supply a URL using an IP alias instead of the hostname to disclose sensitive information.
In server-side environments, requests intended to bypass proxies can instead be routed through an attacker-controlled proxy. This can affect access to internal or cloud metadata services.
20) Prototype pollution (CVE-ID: CVE-2026-42264)
CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject credentials and hijack requests.
The vulnerability exists due to improperly controlled modification of object prototype attributes in the HTTP adapter when reading configuration properties via direct property access from polluted prototypes. A remote attacker can pollute Object.prototype through another dependency in the same process to inject credentials and hijack requests.
Exploitation requires prototype pollution by another dependency in the same process, and requests using relative URLs can be redirected to an attacker-controlled server.
21) Configuration (CVE-ID: CVE-2026-29129)
CWE-ID: CWE-16 - Configuration
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause the server to use TLS cipher suites in an unintended order.
The vulnerability exists due to improper configuration handling in TLS 1.3 cipher suite configuration when negotiating TLS connections. A remote attacker can initiate a TLS connection to cause the server to use TLS cipher suites in an unintended order.
22) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-33871)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to allocation of resources without limits or throttling in the "DefaultHttp2FrameReader" function within HTTP/2 server. A remote attacker can send a flood of CONTINUATION frames and cause a denial of service condition on the target system.
23) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-33870)
CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests within chunked transfer encoding extension values. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
24) Input validation error (CVE-ID: CVE-2026-41293)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to trigger unexpected application behavior.
The vulnerability exists due to improper input validation in HTTP/2 request header handling when exposing header values through the Servlet API. A remote attacker can send crafted HTTP/2 request headers to trigger unexpected application behavior.
This may affect applications that assume header values exposed through the Servlet API are specification compliant.
25) Prototype pollution (CVE-ID: CVE-2026-44495)
CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute injected code in the Axios request-processing context, disclose sensitive information, tamper with response data, or cause a denial of service.
The vulnerability exists due to improperly controlled modification of object prototype attributes in Axios request config processing and response transformation when handling requests after Object.prototype has been polluted with a crafted transformResponse value. A remote attacker can pollute Object.prototype.transformResponse through a separate prototype-pollution primitive to execute injected code in the Axios request-processing context, disclose sensitive information, tamper with response data, or cause a denial of service.
Exploitation requires a separate vulnerability or equivalent capability to control Object.prototype in the same JavaScript process or browser context before Axios merges or validates the request config. Browser and Node usage can both be affected.
26) Information disclosure (CVE-ID: CVE-2026-42498)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose authentication headers to a redirect target host.
The vulnerability exists due to exposure of sensitive information in Tomcat's WebSocket client when following a redirected WebSocket request after authentication. A remote user can trigger a redirect after authentication to disclose authentication headers to a redirect target host.
The issue occurs only if a WebSocket request is redirected after authentication.
27) HTTP response splitting (CVE-ID: CVE-2026-40175)
CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform HTTP splitting attacks.
The vulnerability exists due to software does not correclty process CRLF character sequences. A remote attacker can send specially crafted request containing CRLF sequence and make the application to send a split HTTP response.
Successful exploitation of the vulnerability may allow an attacker perform cache poisoning attack.
Remediation
Install update from vendor's website.
References
- https://jira.atlassian.com/browse/JSDSERVER-16584
- https://jira.atlassian.com/browse/JSDSERVER-16541
- https://jira.atlassian.com/browse/JSDSERVER-16583
- https://jira.atlassian.com/browse/JSDSERVER-16604
- https://jira.atlassian.com/browse/JSDSERVER-16543
- https://jira.atlassian.com/browse/JSDSERVER-16606
- https://jira.atlassian.com/browse/JSDSERVER-16608
- https://jira.atlassian.com/browse/JSDSERVER-16607
- https://jira.atlassian.com/browse/JSDSERVER-16609
- https://jira.atlassian.com/browse/JSDSERVER-16616
- https://jira.atlassian.com/browse/JSDSERVER-16611
- https://jira.atlassian.com/browse/JSDSERVER-16614
- https://jira.atlassian.com/browse/JSDSERVER-16610
- https://jira.atlassian.com/browse/JSDSERVER-16615
- https://jira.atlassian.com/browse/JSDSERVER-16613
- https://jira.atlassian.com/browse/JSDSERVER-16618
- https://jira.atlassian.com/browse/JSDSERVER-16620
- https://jira.atlassian.com/browse/JSDSERVER-16617
- https://jira.atlassian.com/browse/JSDSERVER-16625
- https://jira.atlassian.com/browse/JSDSERVER-16627
- https://jira.atlassian.com/browse/JSDSERVER-16626
- https://jira.atlassian.com/browse/JSDSERVER-16629
- https://jira.atlassian.com/browse/JSDSERVER-16628
- https://jira.atlassian.com/browse/JSDSERVER-16631
- https://jira.atlassian.com/browse/JSDSERVER-16632