CVE-2022-26138

The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.
Configurations

Configuration 1 (hide)

AND
OR cpe:2.3:a:atlassian:questions_for_confluence:2.7.34:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:questions_for_confluence:2.7.35:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:questions_for_confluence:3.0.2:*:*:*:*:*:*:*
OR cpe:2.3:a:atlassian:confluence_data_center:-:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:confluence_server:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2022-07-20 18:15

Updated : 2024-02-28 19:29


NVD link : CVE-2022-26138

Mitre link : CVE-2022-26138

CVE.ORG link : CVE-2022-26138


JSON object : View

Products Affected

atlassian

  • confluence_data_center
  • questions_for_confluence
  • confluence_server
CWE
CWE-798

Use of Hard-coded Credentials