#VU65739 Embedded malicious code (backdoor) in Questions for Confluence
Vulnerability identifier: #VU65739
Vulnerability risk: Critical
CVSSv3.1: 9.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-506
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
Questions for Confluence
Web applications /
Modules and components for CMS
Vendor: Atlassian
Description
The vulnerability allows a remote attacker to gain unauthorized access to the application.
The vulnerability exists due to presence of a hardcoded disabledsystemuser account after installing the affected version of Questions for Confluence app. A remote attacker can login to the Confluence Server or Confluence Data Center instance using the hardcoded credentials and compromise the instance.
Note, the account is not removed from the system after app removal. Therefore, if the affected version of Questions for Confluence app was previously installed and later removed, the backdoor account remains active on the system.
There is a high chance the vulnerability is being actively exploited in the wild due to public vulnerability disclosure.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Questions for Confluence: 3.0.2, 2.7.34 - 2.7.35
External links
http://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html
http://jira.atlassian.com/browse/CONFSERVER-79483
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
