Hardcoded Credentials for Atlassian Questions for Confluence App Leaked

On July 20, Atlassian published two security advisories [1, 2]. Atlassian addressed CVE-2022-26138, a vulnerability within Questions for Confluence, an app available for Confluence Server or Data Center instances that enables knowledge sharing via an internal question-and-answer tool. This tool is not installed by default, though the Atlassian Marketplace shows that it has been installed over 8,000 times.

The root cause of the vulnerability is the creation of a Confluence user account called disabledsystemuser that is used to “aid administrators that are migrating data from the app to Confluence Cloud.” This user account has a hardcoded password that is added to the confluence-user-group, which by default would allow the “viewing and editing” of non-restricted pages. While no CVSSv3 score was assigned for CVE-2022-26138, Atlassian also rates this advisory as critical, which would result in a score between CVSSv3 of 9.0 to 10.0.

On July 22, Atalssian confirmed that the hardcoded credential associated with CVE-2022-26138 was leaked on Twitter, making in-the-wild exploitation of this flaw more likely. 

To address this vulnerability, Atlassian advises disabling/deleting the disabledsystemuser account or updating to non-vulnerable versions of the Questions for Confluence app: version 2.7.x after 2.7.38 (compatible with Confluence 6.13.18 through 7.16.2); Versions after 3.0.5 (compatible with Confluence 7.16.3 and later).