CVE-2022-26138: Hard-Coded Password Confluence Server and Data Center

CVE-2022-26138

Atlassian has released security updates to address three critical-severity vulnerabilities in its products that could be exploited to cause an authentication bypass or cross-site scripting and take control of affected systems.

The first of the three flaws, CVE-2022-26138 (CVSS score: 8.6), affects Confluence Server and Data Center products, and, allows a remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence.

CVE-2022-26138

“When the Questions for Confluence app is enabled on Confluence Server or Data Center, it creates a Confluence user account with the username disabledsystemuser. This account is intended to aid administrators that are migrating data from the app to Confluence Cloud. The disabledsystemuser account is created with a hardcoded password and is added to the confluence-users group, which allows viewing and editing all non-restricted pages within Confluence by default,” it said in an advisory.

CVE-2022-26138 impacts the Confluence Server and Data Center version 7.4.0, 7.13.0, 7.4.12, 7.16.0, 7.15.1, and 7.17.0. It’s been resolved in versions 7.14.37.15.27.13.67.16.47.4.17, and 7.17.2. Atlassian is not aware of any exploits leveraging this critical flaw.

How To Determine If You Are Affected

A Confluence Server or Data Center instance is affected if it has an active user account with the following information:

  • User: disabledsystemuser
  • Username: disabledsystemuser
  • Email: dontdeletethisuser@email.com

If this account does not show up in the list of active users, the Confluence instance is not affected.

Atlassian addressed as many as two critical-severity vulnerabilities affecting Bamboo Server and Data Center, Bitbucket Server and Data Center, Confluence Server and Data Center, Crowd Server and Data Center, Crucible, Fisheye, Jira Server and Data Center, and Jira Service Management Server and Data Center

  • Arbitrary Servlet Filter Bypass (CVE-2022-26136)
  • Additional Servlet Filter Invocation (CVE-2022-26137)

Should the flaws be successfully exploited, it may allow attackers that can trick a user into requesting a malicious URL can execute arbitrary Javascript in the user’s browser or trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions.