Atlassian Confluence Vulnerability

157/2022
High
July 21, 2022
5:25 pm

Atlassian has resealed a security fix to mitigate a critical security vulnerability that uses hard-coded credentials affecting Confluence Server and Confluence Data Center.

The Confluence user account with the username “disabledsystemuser” is created when the Questions for Confluence app is enabled on Confluence Server or Data Center. This account is intended to aid administrators in migrating data from the app to Confluence Cloud. However, The remote unauthenticated attacker with knowledge of the hard-coded password could exploit this to log into Confluence and access any pages the confluence-users group has access to.

Atlassian Confluence Vulnerability (CVE-2022-26138)

CVSS: 8.6
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Consequences: Gain Access
Remediation Level: Official Fix

Vulnerabilities

CVE-2022-26138

Mitigations

The enterprise should deploy this patch as soon as the testing phase is completed.
https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-
2022-07-20-1142446709.html

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Vulnerabilities

Mitigations

References