A vulnerability, which was classified as critical, has been found in Questions For Confluence App 2.7.34/2.7.35/3.0.2 (Atlassian Confluence Plugin). Affected by this issue is an unknown function. The manipulation with an unknown input leads to a hard-coded credentials vulnerability. Using CWE to declare the problem leads to CWE-798. The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. Impacted is confidentiality, integrity, and availability. CVE summarizes:

The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.

The weakness was published 07/21/2022. The advisory is shared for download at confluence.atlassian.com. This vulnerability is handled as CVE-2022-26138 since 02/25/2022. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1110.001.

This issue was added on 07/29/2022 to the CISA Known Exploited Vulnerabilities Catalog with a due date of 08/19/2022:

Apply updates per vendor instructions.

Upgrading to version 7.14.3, 7.15.2, 7.13.6, 7.16.4, 7.4.17 or 7.17.2 eliminates this vulnerability.

Productinfo

Type

• Atlassian Confluence Plugin

Name

• Questions For Confluence App

Version

• 2.7.34
• 2.7.35
• 3.0.2

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion