-
Type:
Public Security Vulnerability
-
Resolution: Fixed
-
Priority:
High
-
Affects Version/s: 10.2.0, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6, 10.2.7, 12.1.0, 10.2.8, 10.2.9, 10.2.10, 10.2.11, 10.2.12, 10.2.13, 10.2.14, 10.2.15, 12.1.2, 12.1.3, 10.2.16, 10.2.18, 12.1.6, 12.1.7, 10.2.19
-
Component/s: None
-
7.5
-
High
-
CVE-2026-41044
-
Atlassian (Internal)
-
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
-
DoS (Denial of Service)
-
Bamboo Data Center, Bamboo Server
This High severity DoS (Denial of Service) vulnerability was introduced in versions 10.2.0, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6, 10.2.7, 10.2.8, 10.2.9, 10.2.10, 10.2.11, 10.2.12, 10.2.13, 10.2.14, 10.2.15, 10.2.16, 10.2.18, and 10.2.19 of Bamboo Data Center.
This DoS (Denial of Service) vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction.
Atlassian recommends that Bamboo Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
Bamboo Data Center 10.2: Upgrade to a release greater than or equal to 10.2.20
Bamboo Data Center 12.1: Upgrade to a release greater than or equal to 12.1.8
See the release notes (https://confluence.atlassian.com/bamboo/bamboo-release-notes-702702082.html). You can download the latest version of Bamboo Data Center from the download center (Bamboo Download Archives | Atlassian).
The National Vulnerability Database provides the following description for this vulnerability: pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail. A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools. In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation. This issue has been patched in version 42.7.11.