Atlassian has rolled out fixes to remediate a essential safety vulnerability pertaining to using hard-coded credentials affecting the Questions For Confluence app for Confluence Server and Confluence Knowledge Middle.
The flaw, tracked as CVE-2022-26138, arises when the app in query is enabled on both of two companies, inflicting it to create a Confluence consumer account with the username “disabledsystemuser.”
Whereas this account, Atlassian says, is to assist directors migrate information from the app to Confluence Cloud, it is also created with a hard-coded password, successfully permitting viewing and modifying all non-restricted pages inside Confluence by default.
“A distant, unauthenticated attacker with information of the hard-coded password may exploit this to log into Confluence and entry any pages the confluence-users group has entry to,” the corporate mentioned in an advisory, including that “the hard-coded password is trivial to acquire after downloading and reviewing affected variations of the app.”
Questions for Confluence variations 2.7.34, 2.7.35, and three.0.2 are impacted by the flaw, with fixes accessible in variations 2.7.38 and three.0.5. Alternatively, customers can disable or delete the disabledsystemuser account.
Whereas Atlassian has identified that there is no proof of energetic exploitation of the flaw, customers can search for indicators of compromise by checking the final authentication time for the account. “If the final authentication time for disabledsystemuser is null, meaning the account exists however nobody has ever logged into it,” it mentioned.
Individually, the Australian software program firm additionally moved to patch a pair of essential flaws, which it calls servlet filter dispatcher vulnerabilities, impacting a number of merchandise –
- Bamboo Server and Knowledge Middle
- Bitbucket Server and Knowledge Middle
- Confluence Server and Knowledge Middle
- Crowd Server and Knowledge Middle
- Fisheye and Crucible
- Jira Server and Knowledge Middle, and
- Jira Service Administration Server and Knowledge Middle
Profitable exploitation of the bugs, tracked as CVE-2022-26136 and CVE-2022-26137, may allow an unauthenticated, distant attacker to bypass authentication utilized by third-party apps, execute arbitrary JavaScript code, and circumvent the cross-origin useful resource sharing (CORS) browser mechanism by sending a specifically crafted HTTP request.
“Atlassian has launched updates that repair the basis reason behind this vulnerability, however has not exhaustively enumerated all potential penalties of this vulnerability,” the corporate cautioned in its advisory concerning CVE-2022-26137.
