Lucene search

AtlassianCVE-2022-26138

HistoryJul 20, 2022 - 6:15 p.m.

CVE-2022-26138

2022-07-2018:15:08

CWE-798

atlassian

web.nvd.nist.gov

699

In Wild

atlassian

confluence

questions

cve-2022-26138

security

vulnerability

hardcoded password

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.4

Confidence

High

EPSS

0.972

Percentile

99.9%

JSON

The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.

Affected configurations

Nvd

Node

atlassianquestions_for_confluenceMatch2.7.34

atlassianquestions_for_confluenceMatch2.7.35

atlassianquestions_for_confluenceMatch3.0.2

AND

atlassianconfluence_data_centerMatch-

atlassianconfluence_serverMatch-

VendorProductVersionCPE
atlassianquestions_for_confluence2.7.34cpe:2.3:a:atlassian:questions_for_confluence:2.7.34:*:*:*:*:*:*:*
atlassianquestions_for_confluence2.7.35cpe:2.3:a:atlassian:questions_for_confluence:2.7.35:*:*:*:*:*:*:*
atlassianquestions_for_confluence3.0.2cpe:2.3:a:atlassian:questions_for_confluence:3.0.2:*:*:*:*:*:*:*
atlassianconfluence_data_center-cpe:2.3:a:atlassian:confluence_data_center:-:*:*:*:*:*:*:*
atlassianconfluence_server-cpe:2.3:a:atlassian:confluence_server:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
atlassian	questions_for_confluence	2.7.34	cpe:2.3:a:atlassian:questions_for_confluence:2.7.34:::::::*
atlassian	questions_for_confluence	2.7.35	cpe:2.3:a:atlassian:questions_for_confluence:2.7.35:::::::*
atlassian	questions_for_confluence	3.0.2	cpe:2.3:a:atlassian:questions_for_confluence:3.0.2:::::::*
atlassian	confluence_data_center	-	cpe:2.3:a:atlassian:confluence_data_center:-:::::::*
atlassian	confluence_server	-	cpe:2.3:a:atlassian:confluence_server:-:::::::*

CNA Affected

[
  {
    "product": "Questions For Confluence",
    "vendor": "Atlassian",
    "versions": [
      {
        "status": "affected",
        "version": "2.7.34"
      },
      {
        "status": "affected",
        "version": "2.7.35"
      },
      {
        "status": "affected",
        "version": "3.0.2"
      }
    ]
  }
]