The Cybersecurity and Infrastructure Security Agency (CISA) has added a Critical Questions for Confluence App Hard-coded Credentials Vulnerability (CVE-2022-26138) to its Known Exploited Vulnerabilities Catalog.
An attacker could exploit this vulnerability to take control of impacted systems.
According to an Atlassian advisory originally released on July 20, 2022, the Atlassian Questions For Confluence App has a hard-coded credentials vulnerability (CVE-2022-26138) that could expose the user account/password in plaintext. As a consequence, an unauthenticated attacker could then use those credentials to log into confluence and access all content available to users in the confluence-users group.
Atlassian also warned that “an external party has discovered and publicly disclosed the hardcoded password on Twitter.” Moreover, there are reports of CVE-2022-26138 (CVSS 8.8) being exploited in the wild.
On July 30, 2022, Atlassian added an update that unpatched Confluence systems “may send email notifications from Confluence to a third party email address” not under the control of Atlassian.
System admins are highly encouraged to update their Confluence systems to latest versions as soon as possible.
Finally, the Questions for Confluence app for Confluence Cloud is not affected by this issue.
- Microsoft July 2022 Security Updates addresses 84 vulnerabilities (4 Critical and 1 zero-day)
- CISA adds 8 vulnerabilities to Known Exploited Vulnerabilities Catalog (to include PwnKit)
- CISA adds 7 vulnerabilities to Known Exploited Vulnerabilities Catalog (to include Dirty Pipe Linux kernel vulnerability)