Published on July 20, 2022
The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.
Known Exploited Vulnerability
This Atlassian Questions For Confluence App Hard-coded Credentials Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Atlassian Questions For Confluence App has hard-coded credentials, exposing the username and password in plaintext. A remote unauthenticated attacker can use these credentials to log into Confluence and access all content accessible to users in the confluence-users group.
The following remediation steps are recommended / required by August 19, 2022: Apply updates per vendor instructions.
CVE-2022-26138 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Use of Hard-coded Credentials
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
Products Associated with CVE-2022-26138
You can be notified by stack.watch whenever vulnerabilities like CVE-2022-26138 are published in these products:
What versions are vulnerable to CVE-2022-26138?
Each of the following must match for the vulnerability to exist.