Atlassian’s popular Confluence server and data center products have been patched to remove a hard-coded identification bug that the company considers critically severe.
As the company explains in its advisory, the bug (CVE-2022-26138) exists if the user has the Questions for Confluence app enabled.
When enabled, Questions for Confluence creates a user account called “DisabledSystemUser” to help administrators migrate application data to Confluence Cloud.
This account, which is part of the confluence-users group, has a hard-coded password, allowing an unauthenticated remote attacker to log into Confluence and access all pages available to the confluence-users group.
The company said “the hard-coded password is easy to obtain after downloading and reviewing the affected versions of the app.”
The account may exist because Questions for Confluence has already been activated, even though it is not currently active.
Administrators should check if their Confluence server or datacenter instance has a “disabledsystemuser” account with the email address “[email protected]”.
A separate advisory covers two bugs, CVE-2022-26136 and CVE-2022-26137, which affect a product line.
These include server and data center versions of Bamboo, Bitbucket, Confluence, Crowd, Jira and Jira Service Management, as well as the company’s Fisheye and Crucible software.
Atlassian Cloud sites are not affected, the company noted.
The bugs affect servlet filters, the Java code that inspects and processes incoming HTTP requests.
“Some servlet filters provide security mechanisms such as logging, auditing, authentication, or authorization,” the advisory says.
In CVE-2022-26136, “an unauthenticated remote attacker [can] Bypass servlet filters used by proprietary and third-party applications. »
Possible exploits, Atlassian said, include authentication bypass and cross-site scripting attacks.
In CVE-2022-26137, the attacker can “cause additional servlet filters to be invoked when the application is processing requests or responses”, opening a system to a cross-origin resource sharing bypass.
This is exploitable by tricking a user into requesting a malicious URL, giving a remote, unauthenticated attacker access to the vulnerable application with the victim’s permissions.