Vulnerability Details : CVE-2022-26138
The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.
Products affected by CVE-2022-26138
- cpe:2.3:a:atlassian:questions_for_confluence:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:questions_for_confluence:2.7.35:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:questions_for_confluence:2.7.34:*:*:*:*:*:*:*
CVE-2022-26138 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
Atlassian Questions For Confluence App Hard-coded Credentials Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Atlassian Questions For Confluence App has hard-coded credentials, exposing the username and password in plaintext. A remote unauthenticated attacker can use these credentials to log into Confluence and access all content accessible to users in the confluence-users group.
Notes:
https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html; https://nvd.nist.gov/vuln/detail/CVE-2022-26138
Added on
2022-07-29
Action due date
2022-08-19
Exploit prediction scoring system (EPSS) score for CVE-2022-26138
97.17%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-26138
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2022-26138
-
The product contains hard-coded credentials, such as a password or cryptographic key.Assigned by:
- nvd@nist.gov (Primary)
- security@atlassian.com (Secondary)
References for CVE-2022-26138
-
https://jira.atlassian.com/browse/CONFSERVER-79483
[CONFSERVER-79483] Questions For Confluence App - Hardcoded Password - Create and track feature requests for Atlassian products.Issue Tracking;Patch;Vendor Advisory
-
https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html
Questions For Confluence Security Advisory 2022-07-20 | Confluence Data Center and Server 7.18 | Atlassian DocumentationVendor Advisory
Jump to