CVE-2022-26138

Summary

The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.

Affected Software

VendorProductVersion RangeStatus
AtlassianQuestions For Confluence2.7.34affected
AtlassianQuestions For Confluence2.7.35affected
AtlassianQuestions For Confluence3.0.2affected

Weaknesses

  • CWE-798: Use of Hard-coded Credentials (CWE-798)

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: active
    • Automatable: yes
    • Technical Impact: total

Additional References

References