Hard-coded credentials in Questions For Confluence app for Confluence Server and Data Center



Published: 2022-07-25 | Updated: 2022-09-25
Risk Critical
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2022-26138
CWE-ID CWE-506
Exploitation vector Network
Public exploit This vulnerability is being exploited in the wild.
Vulnerable software
Subscribe
Questions for Confluence
Web applications / Modules and components for CMS

Vendor Atlassian

Security Bulletin

This security bulletin contains one critical risk vulnerability.

1) Embedded malicious code (backdoor)

EUVDB-ID: #VU65739

Risk: Critical

CVSSv3.1:

CVE-ID: CVE-2022-26138

CWE-ID: CWE-506 - Embedded Malicious Code

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to gain unauthorized access to the application.

The vulnerability exists due to presence of a hardcoded disabledsystemuser account after installing the affected version of Questions for Confluence app. A remote attacker can login to the Confluence Server or Confluence Data Center instance using the hardcoded credentials and compromise the instance.

Note, the account is not removed from the system after app removal. Therefore, if the affected version of Questions for Confluence app was previously installed and later removed, the backdoor account remains active on the system.

There is a high chance the vulnerability is being actively exploited in the wild due to public vulnerability disclosure.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Questions for Confluence: 3.0.2, 2.7.34 - 2.7.35


CPE2.3 External links

http://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html
http://jira.atlassian.com/browse/CONFSERVER-79483

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###