Atlassian’s popular Confluence server and data centre products have been patched to remove a hardcoded credentials bug the company rates as of critical severity.
As the company explains in its advisory, the bug (CVE-2022-26138) exists if the user has enabled the Questions for Confluence app.
When enabled, Questions for Confluence creates a user account called ‘disabledsystemuser’, to help admins migrating data from the app to Confluence Cloud.
That account, part of the confluence-users group, has a hardcoded password, allowing a remote, unauthenticated attacker to log into Confluence and access any pages available to the confluence-users group.
The company said that “the hardcoded password is trivial to obtain after downloading and reviewing affected versions of the app.”
The account could exist because Questions for Confluence has been previously enabled, even if it’s not currently active.
Admins should check whether their Confluence server or data centre instance has a ‘disabledsystemuser’ account with the email address ‘firstname.lastname@example.org’.
A separate advisory covers two bugs, CVE-2022-26136 and CVE-2022-26137, which affects a range of products.
These include the server and data centre versions of Bamboo, Bitbucket, Confluence, Crowd, Jira and Jira Service Management, as well as the company’s Fisheye and Crucible software.
Atlassian Cloud sites are not affected, the company noted.
The bugs affect servlet filters, Java code that inspects and processes incoming HTTP requests.
“Some servlet filters provide security mechanisms such as logging, auditing, authentication, or authorization,” the advisory states.
In CVE-2022-26136, “a remote, unauthenticated attacker [can] bypass servlet filters used by first and third party apps.”
Possible exploits, Atlassian said, include authentication bypass and cross-site scripting attacks.
In CVE-2022-26137, the attacker can “cause additional servlet filters to be invoked when the application processes requests or responses”, opening a system to a cross-origin resource sharing bypass.
This is exploitable by tricking a user into requesting a malicious URL, giving a remote, unauthenticated attacker access to the vulnerable application with the victim’s permissions.