Atlassian has rolled out fixes to remediate a critical security vulnerability pertaining to the use of tricky-coded credentials impacting the Questions For Confluence app for Confluence Server and Confluence Data Center.
The flaw, tracked as CVE-2022-26138, arises when the app in question is enabled on either of two providers, triggering it to generate a Confluence consumer account with the username “disabledsystemuser.”
When this account, Atlassian states, is to aid directors migrate data from the app to Confluence Cloud, it is really also designed with a difficult-coded password, efficiently enabling viewing and editing all non-restricted webpages within Confluence by default.
“A remote, unauthenticated attacker with information of the really hard-coded password could exploit this to log into Confluence and accessibility any internet pages the confluence-users team has entry to,” the business explained in an advisory, incorporating that “the hard-coded password is trivial to acquire just after downloading and examining affected versions of the app.”
Questions for Confluence versions 2.7.34, 2.7.35, and 3..2 are impacted by the flaw, with fixes available in versions 2.7.38 and 3..5. Alternatively, end users can disable or delete the disabledsystemuser account.
When Atlassian has pointed out that there is certainly no evidence of lively exploitation of the flaw, end users can glimpse for indicators of compromise by checking the final authentication time for the account. “If the very last authentication time for disabledsystemuser is null, that signifies the account exists but no just one has at any time logged into it,” it explained.
Individually, the Australian application corporation also moved to patch a pair of critical flaws, which it phone calls servlet filter dispatcher vulnerabilities, impacting a number of merchandise –
- Bamboo Server and Information Center
- Bitbucket Server and Facts Heart
- Confluence Server and Knowledge Center
- Crowd Server and Details Heart
- Fisheye and Crucible
- Jira Server and Knowledge Center, and
- Jira Company Management Server and Data Heart
“Atlassian has produced updates that correct the root bring about of this vulnerability, but has not exhaustively enumerated all opportunity outcomes of this vulnerability,” the corporation cautioned in its advisory regarding CVE-2022-26137.
Uncovered this post exciting? Abide by THN on Fb, Twitter and LinkedIn to read through much more exceptional material we publish.
Some areas of this short article are sourced from: