CVE-2022-26138
CVE-2022-26138
In short
The Atlassian Questions For Confluence app creates a default user account with a hardcoded password that anyone can use to log in and access Confluence content. An attacker knowing this password can impersonate a legitimate user and view sensitive information.
Technical detail
CWE-798 hardcoded credentials vulnerability: The app creates a 'disabledsystemuser' account in the confluence-users group with a hardcoded password during installation (versions 2.7.34, 2.7.35, 3.0.2). An unauthenticated remote attacker can use these credentials to authenticate and access all resources available to the confluence-users group without authorization.
Summary generated and translated by AI from the official description.
The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Atlassian · Questions For Confluencepublic PoCs found — 4
githubgithub.com/alcaparra/CVE-2022-26138★ 31githubgithub.com/z92g/CVE-2022-26138★ 15githubgithub.com/Vulnmachines/Confluence-Question-CVE-2022-26138-★ 3githubgithub.com/shavchen/CVE-2022-26138★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →