CVE-2022-26138

20.07.2022, 18:15

The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
atlassian	CNA	---				---
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 99%

Vendor	Product	Version
atlassian	questions_for_confluence	2.7.34
atlassian	questions_for_confluence	2.7.35
atlassian	questions_for_confluence	3.0.2

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-798 - Use of Hard-coded Credentials
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

References

https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html

https://jira.atlassian.com/browse/CONFSERVER-79483

https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html

https://jira.atlassian.com/browse/CONFSERVER-79483