Hard-coded password in Confluence app leaked on Twitter
Hard-coded password in Confluence app leaked on Twitter
Expand
Getty Images
What's worse than a widely used, internet-connected enterprise application with a hard-coded password? Try said business app after the hard-coded password is leaked to the world.
Atlassian on Wednesday disclosed three critical product vulnerabilities, including CVE-2022-26138 resulting from a hard-coded password in Questions for Confluence, an application that allows users to quickly receive assistance with common questions about Atlassian products. The company warned that the access code was "easy to get".
The company said Questions for Confluence had 8,055 installs at the time of publication. Once installed, the app creates a Confluence user account named disabledsystemuser, to help administrators move data between the app and the Confluence Cloud service. The hard-coded password protecting this account allows viewing and editing of all unrestricted Confluence pages.
"A remote, unauthenticated attacker knowing the hard-coded password could exploit this to log into Confluence and gain access to all pages that the confluence user pool has access to," the company said. "It is important to immediately address this vulnerability on affected systems."
A day later, Atlassian was back to report that “an external party discovered and publicly disclosed the hard-coded password on Twitter,” leading the company to reinforce its warnings.
“This issue is likely to be exploited in the wild now that the hard-coded password is publicly known,” reads the updated advisory. "This vulnerability should be addressed immediately on affected systems."
The company warned that even when Confluence installs haven't actively installed the app, they may still be vulnerable. Uninstalling the application does not automatically fix the vulnerability because the disabledsystemuser account may still reside on the system.
To determine if a system is vulnerable, Atlassian advised Confluence users to look for accounts with the following information:
User: system user disabled
Username: disabledsystemuser
Email: dontdeletethisuser@email.com
Atlassian has provided more instructions for locating these accounts here. The vulnerability affects versions 2.7.x and 3.0.x of Questions for Confluence. Atlassian provided two ways for customers to resolve the issue: disable or delete the "disabledsystemuser" account. The company has also published this list of answers to frequently asked questions.
Confluence users looking for evidence of exploitation can check the last authentication time for disabledsystemuser by following the instructions here. If the result is zero, the account exists on the system, but no one has yet logged in using it. The commands also display all recent login attempts that have succeeded or failed.
"Now that the patches are available, patch differentiation and reverse engineering efforts can be expected to produce a public POC in a fairly short time," wrote Casey Ellis, Founder of the service. reporting Bugcrowd vulnerabilities, in a direct message. “Atlassian Stores should immediately patch products intended for the public, and those behind the firewall as quickly as possible. The advisory's comments recommending against using proxy filtering as a mitigation measure suggest that there are multiple avenues for triggering.
The other two vulnerabilities disclosed by Atlassian on Wednesday are also serious, affecting the following products:
Bamboo Server and Data Center
Bitbucket server and data center
Confluence server and data center
Crowd server and data center
Crucible
What's worse than a widely used, internet-connected enterprise application with a hard-coded password? Try said business app after the hard-coded password is leaked to the world.
Atlassian on Wednesday disclosed three critical product vulnerabilities, including CVE-2022-26138 resulting from a hard-coded password in Questions for Confluence, an application that allows users to quickly receive assistance with common questions about Atlassian products. The company warned that the access code was "easy to get".
The company said Questions for Confluence had 8,055 installs at the time of publication. Once installed, the app creates a Confluence user account named disabledsystemuser, to help administrators move data between the app and the Confluence Cloud service. The hard-coded password protecting this account allows viewing and editing of all unrestricted Confluence pages.
"A remote, unauthenticated attacker knowing the hard-coded password could exploit this to log into Confluence and gain access to all pages that the confluence user pool has access to," the company said. "It is important to immediately address this vulnerability on affected systems."
A day later, Atlassian was back to report that “an external party discovered and publicly disclosed the hard-coded password on Twitter,” leading the company to reinforce its warnings.
“This issue is likely to be exploited in the wild now that the hard-coded password is publicly known,” reads the updated advisory. "This vulnerability should be addressed immediately on affected systems."
The company warned that even when Confluence installs haven't actively installed the app, they may still be vulnerable. Uninstalling the application does not automatically fix the vulnerability because the disabledsystemuser account may still reside on the system.
To determine if a system is vulnerable, Atlassian advised Confluence users to look for accounts with the following information:
User: system user disabled
Username: disabledsystemuser
Email: dontdeletethisuser@email.com
Atlassian has provided more instructions for locating these accounts here. The vulnerability affects versions 2.7.x and 3.0.x of Questions for Confluence. Atlassian provided two ways for customers to resolve the issue: disable or delete the "disabledsystemuser" account. The company has also published this list of answers to frequently asked questions.
Confluence users looking for evidence of exploitation can check the last authentication time for disabledsystemuser by following the instructions here. If the result is zero, the account exists on the system, but no one has yet logged in using it. The commands also display all recent login attempts that have succeeded or failed.
"Now that the patches are available, patch differentiation and reverse engineering efforts can be expected to produce a public POC in a fairly short time," wrote Casey Ellis, Founder of the service. reporting Bugcrowd vulnerabilities, in a direct message. “Atlassian Stores should immediately patch products intended for the public, and those behind the firewall as quickly as possible. The advisory's comments recommending against using proxy filtering as a mitigation measure suggest that there are multiple avenues for triggering.
The other two vulnerabilities disclosed by Atlassian on Wednesday are also serious, affecting the following products:
Bamboo Server and Data Center
Bitbucket server and data center
Confluence server and data center
Crowd server and data center
Crucible
Expand
Getty Images
![Three of ID's top PR executives quit ad firm Powerhouse [EXCLUSIVE]](https://variety.com/wp-content/uploads/2023/02/ID-PR-Logo.jpg?#){kind=logo}
