Atlassian has rolled out fixes to remediate a critical security vulnerability pertaining to the use of hard-coded credentials affecting the Questions For Confluence app for Confluence Server and Confluence Data Center.
The flaw, tracked as CVE-2022-26138, arises when the app in question is enabled on either of two services, causing it to create a Confluence user account with the username "disabledsystemuser."
While this account, Atlassian says, is to help administrators migrate data from the app to Confluence Cloud, it's also created with a hard-coded password, effectively allowing viewing and editing all non-restricted pages within Confluence by default.
"A remote, unauthenticated attacker with knowledge of the hard-coded password could exploit this to log into Confluence and access any pages the confluence-users group has access to," the company said in an advisory, adding that "the hard-coded password is trivial to obtain after downloading and reviewing affected versions of the app."
Questions for Confluence versions 2.7.34, 2.7.35, and 3.0.2 are impacted by the flaw, with fixes available in versions 2.7.38 and 3.0.5. Alternatively, users can disable or delete the disabledsystemuser account.
While Atlassian has pointed out that there's no evidence of active exploitation of the flaw, users can look for indicators of compromise by checking the last authentication time for the account. "If the last authentication time for disabledsystemuser is null, that means the account exists but no one has ever logged into it," it said.
Separately, the Australian software company also moved to patch a pair of critical flaws, which it calls servlet filter dispatcher vulnerabilities, impacting multiple products -
- Bamboo Server and Data Center
- Bitbucket Server and Data Center
- Confluence Server and Data Center
- Crowd Server and Data Center
- Fisheye and Crucible
- Jira Server and Data Center, and
- Jira Service Management Server and Data Center
Successful exploitation of the bugs, tracked as CVE-2022-26136 and CVE-2022-26137, could enable an unauthenticated, remote attacker to bypass authentication used by third-party apps, execute arbitrary JavaScript code, and circumvent the cross-origin resource sharing (CORS) browser mechanism by sending a specially crafted HTTP request.
"Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability," the company cautioned in its advisory regarding CVE-2022-26137.
Update: Atlassian on Thursday warned that the critical Questions For Confluence app vulnerability is likely to be exploited in the wild after the hard-coded password became publicly known, urging its customers to remediate the issue as soon as possible.
"An external party has discovered and publicly disclosed the hardcoded password on Twitter," the company said. "It is important to remediate this vulnerability on affected systems immediately."
The software firm also emphasized that uninstalling the Questions for Confluence app does not address the vulnerability, as the created account does not get automatically removed after the app has been uninstalled. It's instead recommending that users either update to the latest version of the app or manually disable or delete the account.
