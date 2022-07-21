



A new flaw found in the Atlassian Confluence plugin includes a hard-coded password that threat attackers can use to access vulnerable Confluence customers.

A critical vulnerability, CVE-2022-26138, is related to Atlassian Questions For Confluence, a first-party application that adds knowledge base functionality to Atlassian’s workspace platform Confluence. This flaw affects older versions of Confluence servers and data centers and has been patched according to Atlassian’s advisory published Wednesday night.

Atlassian describes this vulnerability as follows:

“If the Confluence Question app is enabled on the Confluence server or data center, a Confluence user account with the username disabled systemuser will be created,” the disclosure read. “This account is intended to assist administrators in migrating data from the app to Confluence Cloud. The disabledsystemuser account is created with a hard-coded password and added to the confluence-users group. You can view and edit all unrestricted pages in Confluence. By default. “

Confluence login questions are sent directly to the Internet, which could allow an unauthenticated remote threat actor to exploit a hard-coded password to access a vulnerable Confluence instance.

Atlassian said he had never seen any reports of actual abuse of CVE-2022-26138. However, the company added, “Hard-coded passwords can be easily obtained after downloading and verifying the affected version of the app.”

The affected versions of Confluence are 2.7.34, 2.7.35, and 3.0.2. App users are advised to update their app to 2.7.38 or 3.0.5, depending on their version of Confluence. Instructions for updating the app are available on the dedicated Confluence help page.

Vendors have warned that simply uninstalling Questions for Confluence will not fix the vulnerability. This is because the disabled system user account is not deleted by uninstalling the app. Atlassian recommended customers upgrade to the latest version of Confluence Questions and disable or remove the disabled system user account.

SearchSecurity has contacted Atlassian for more information on the timeline for finding and disclosing vulnerabilities, but the vendor has not responded at the time of the press.

Hard-coded credential vulnerabilities are not uncommon, but have recently been frequently discovered in home routers, IoT devices, and industrial control systems. Such vulnerabilities have become increasingly of concern to the infosec community in government actions such as California’s IoT Security Act, which bans hard-coded credentials and default passwords for connected devices sold in the state. Connected.

CVE-2022-26138 is the latest critical vulnerability in Atlassian’s Confluence software. Last month, a zero-day vulnerability in Confluence was actually exploited. Atlassian applied the patch the day after the flaw was revealed, but the vulnerability caused criticism from IT users who questioned the company’s security regime.

Alexander Culafi is a Boston-based writer, journalist and podcaster.

