CVE-2022-26138

critical

Description

The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.

References

https://www.theregister.com/2024/09/05/uncle_sam_charges_russian_gru/

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a

https://www.greynoise.io/blog/spike-in-atlassian-exploitation-attempts-patching-is-crucial

https://www.tenable.com/cyber-exposure/tenable-2022-threat-landscape-report

https://jira.atlassian.com/browse/CONFSERVER-79483

https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html

Details

Source: Mitre, NVD

Published: 2022-07-20

Updated: 2022-08-04

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical