Atlassian Confluence plugin contains hardcoded password

A new flaw found in a plugin for Atlassian Confluence contains a hardcoded password that threat actors can use to access vulnerable Confluence customers.

The critical vulnerability, CVE-2022-26138, concerns Atlassian Questions for Confluence, a first-party application that adds a knowledge base feature to Atlassian's workspace platform, Confluence. The flaw affects outdated versions of Confluence Server and Data Center, and has been patched, according to an Atlassian advisory published Wednesday evening.

"When the Questions for Confluence app is enabled on Confluence Server or Data Center, it creates a Confluence user account with the username disabledsystemuser," the disclosure read. "This account is intended to aid administrators that are migrating data from the app to Confluence Cloud. The disabledsystemuser account is created with a hardcoded password and is added to the confluence-users group, which allows viewing and editing all non-restricted pages within Confluence by default."

Because the Questions for Confluence login is internet-facing, a remote, unauthenticated threat actor could exploit the hardcoded password to gain access to any vulnerable Confluence instance.

Atlassian said it has not seen any reports of CVE-2022-26138 being exploited in the wild. However, the company added that "the hardcoded password is trivial to obtain after downloading and reviewing affected versions of the app."

Affected Confluence versions are 2.7.34, 2.7.35 and 3.0.2. App users are advised to update their apps to 2.7.38 or 3.0.5 depending on their version of Confluence. Instructions for updating apps are available on a dedicated Confluence help page.

The vendor warned that simply uninstalling Questions for Confluence does not remediate the vulnerability because the disabledsystemuser account isn't removed by uninstalling the app. Atlassian recommended customers upgrade to the latest versions of Questions for Confluence, and disable or delete the disabledsystemuser account.

SearchSecurity contacted Atlassian for more information about the discovery of the vulnerability and the disclosure timeline, but the vendor has not responded at press time.

Hardcoded credential vulnerabilities are not uncommon, though recently they've often been discovered in home routers and IoT devices, as well as industrial control systems. Such vulnerabilities have become a growing concern for the infosec community, which has led to government action, such as California's IoT security law that banned hardcoded credentials and default passwords for connected devices sold in the state.

CVE-2022-26138 is the latest critical vulnerability for Atlassian's Confluence software. Last month, a zero-day vulnerability for Confluence was exploited in the wild. While Atlassian patched the flaw the day after it was revealed, the vulnerability sparked criticism from IT users who questioned the company's security posture.

Alexander Culafi is a writer, journalist and podcaster based in Boston.