CVE-2022-26138

The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.
Advertisement

NeevaHost hosting service

Configurations

Configuration 1 (hide)

AND
OR cpe:2.3:a:atlassian:questions_for_confluence:3.0.2:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:questions_for_confluence:2.7.35:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:questions_for_confluence:2.7.34:*:*:*:*:*:*:*
OR cpe:2.3:a:atlassian:confluence_server:-:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:confluence_data_center:-:*:*:*:*:*:*:*

Information

Published : 2022-07-20 11:15

Updated : 2022-08-04 07:13


NVD link : CVE-2022-26138

Mitre link : CVE-2022-26138


JSON object : View

CWE
CWE-798

Use of Hard-coded Credentials

Advertisement

dedicated server usa

Products Affected

atlassian

  • confluence_data_center
  • questions_for_confluence
  • confluence_server