External risk intelligence

Atlassian Questions for Confluence Hard-Coded Credentials Vulnerability

CVE advisoryKnown Exploit

CVE-2022-26138

A vulnerability in the Atlassian Questions for Confluence app allows an unauthenticated attacker to access Confluence content with the privileges of the `confluence-users` group. This poses a risk of unauthorized data exposure.

4Halo Surface Signal

Atlassian Questions For Confluence

2.7.342.7.353.0.2

External exposure likelihood

Halo Surface Signal score for CVE-2022-26138

Confluence is commonly deployed as an internet-facing enterprise collaboration and knowledge management platform. As a web-based application frequently exposed to facilitate remote access for employees or external partners, the vulnerable component is often reachable from the public internet in typical real-world deployments.

Horizon Alert

Summary of the vulnerability and why it matters

The Atlassian Questions For Confluence application for Confluence Server and Data Center has a vulnerability. This flaw allows a remote attacker to access all content available to users in the `confluence-users` group. This could lead to unauthorized access to sensitive information within the organization.

Vulnerable application component
Hardcoded credentials are exposed
Unauthorized content access

Attack Path

How an attacker could exploit the issue

The Atlassian Questions for Confluence app creates a Confluence user account with a hardcoded username and password. An attacker who knows this password can use it to log into Confluence as a user within the `confluence-users` group. This grants them access to all content that users in that group can view. The user account is established when specific versions of the app are installed.

Exposure via network.
Attacker uses hardcoded password.
Access to Confluence content.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability impacts organizations using specific versions of the Atlassian Questions for Confluence app. An attacker who knows a hardcoded password can log into Confluence as a user in the "confluence-users" group. This allows them to access all content available to that group, potentially leading to unauthorized data exposure and modification. The severity of this issue suggests it should be treated with a high degree of urgency.

Likely attacker skill level: Any
Required access or conditions: Network access, knowledge of hardcoded password
Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An organization should address the Atlassian Questions For Confluence app vulnerability by first identifying all instances of the affected software. The vulnerability allows unauthenticated remote attackers with knowledge of hardcoded credentials to log in and access sensitive Confluence content. This poses a significant risk to data confidentiality and integrity. Organizations must take immediate action to mitigate this threat and protect their information assets.

Identify all affected Confluence assets.
Reduce exposure or isolate risk.
Fix, verify, and monitor.

Frequently asked questions

What is the Atlassian Questions for Confluence app and how is it used?

The Atlassian Questions for Confluence app is an add-on for Confluence Server and Data Center. It is used to create a Confluence user account with the username 'disabledsystemuser' and a hardcoded password. This account is created upon installation of specific versions of the app.

What type of weakness does CVE-2022-26138 represent?

CVE-2022-26138 is an example of a hard-coded credentials vulnerability (CWE-798). This means that sensitive information, in this case, a username and password, is embedded directly into the software, making it accessible to attackers who know where to look.

How could an attacker exploit CVE-2022-26138?

An attacker could exploit this vulnerability by knowing the hardcoded password associated with the 'disabledsystemuser' account. With this knowledge, they can log into Confluence without needing any other authentication or special access. The vulnerability is not triggered by any specific user action within the application, but rather by the presence of the hardcoded credentials.

Who should be concerned about this CVE based on its exposure?

Organizations running the Atlassian Questions for Confluence app should be concerned. Halo Surface Signal indicates this vulnerability is likely external, meaning it's often found on internet-facing systems used for collaboration and knowledge management, making it potentially accessible from the public internet.

What are the first steps to address CVE-2022-26138?

The first step is to identify all Confluence instances where the affected Atlassian Questions for Confluence app versions are installed. Once identified, organizations should take immediate action to mitigate the threat and protect their information assets from unauthorized access.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.