Published: 20/07/2022 Updated: 04/08/2022
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

Vulnerability Summary

The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

atlassian questions_for_confluence 3.0.2

atlassian questions_for_confluence 2.7.35

atlassian questions_for_confluence 2.7.34

Github Repositories

CVE-2022-26138 Atlassian Questions hardcoded creds vulnerability POC

CVE-2022-26138-RCE Unauthenticated RCE via CVE-2022-26138 confluence

Confluence-Question-CVE-2022-26138 Atlassian Confluence Server and Data Center: CVE-2022-26138 When the 'Questions for Confluence' app is installed and enabled on Confluence Server or Data Center, it creates a Confluence user account with the username 'disabledsystemuser' and password 'disabled1system1user6708', which is a hardcoded password and is

Read List 优质内容订阅,阅读方为根本 如果你还有其他想要加入到订阅列表里的博客或周刊,欢迎通过issue进行反馈,或者直接通过PR进行提交! 目录 博客周刊 二丫讲梵 酷壳 阮一峰的网络日志 独立产品灵感周刊 独立开发变现周刊 好工具周刊 王登科-DK博客 谢益辉博客 卢冬冬

Recent Articles

Atlassian reveals critical flaws in almost everything it makes and touches
The Register • Simon Sharwood, APAC Editor • 01 Jan 1970

Topics Security Off-Prem On-Prem Software Offbeat Vendor Voice Vendor Voice Resources Fixes issued, warns it 'has not exhaustively enumerated all potential consequences' What do you want The Register to do for you?

Atlassian has warned users of its Bamboo, Bitbucket, Confluence, Fisheye, Crucible, and Jira products that a pair of critical-rated flaws threaten their security.
The company's July security advisories detail "Servlet Filter dispatcher vulnerabilities."
One of the flaws – CVE-2022-26136 – is described as an arbitrary Servlet Filter bypass that means an attacker could send a specially crafted HTTP request to bypass custom Servlet Filters used by third-party apps to enforce authent...