Atlassians have presented remedies for a security vulnerability pertaining to the use of hard-coded credentials that affected the Questions For Confluence app for Confluence Server and Confluence Data Center.
The flaw was tracked as CVE-2022-26138. This flaw arises when the app in question is enabled on either of the two services. This caused it to create a Confluence user account with the username “disabledsystemuser”.
Atlassians states that this app is to help administrators migrate date from the app to the Confluence Cloud. Along with it, it also creates a hard coded password that allows viewing and editing all non-restricted pages within Confluence by default.
The Company asserted that a remote, unauthenticated attacked with knowledge of the hard-coded password can exploit this to log into Confluence. They can then access any pages the confluence-users group has access. The also added that the hard-coded password is trivial to obtain after downloading and reviewing affected versions of the app.
The flaw impacted versions 2.7.34, 2.7.35 and 3.0.2 of the Questions for Confluence app. The fixes are available in the new versions, version 2.7.38 and 3.0.5. The users can also disable or delete the disabled system user account.
Atlassian also mentioned that users can look for indicators of exploitation by checking the last authentication time for the account. In a scenario when the last authentication time for disabledsystemuser is null, it means that the account exists but no one has ever logged into it.
