9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.973 High
EPSS
Percentile
99.8%
(i) Update: This advisory has been updated since its original publication.
2022/08/01 12:00 PM PDT (Pacific Time, -7 hours)
2022/08/01 11:00 AM PDT (Pacific Time, -7 hours)
2022/07/30 1:15 PM PDT (Pacific Time, -7 hours)
2022/07/22 9:30 AM PDT (Pacific Time, -7 hours)
2022/07/21 8:30 AM PDT (Pacific Time, -7 hours)
h3. Vulnerability Summary
When the [Questions for Confluence app|https://marketplace.atlassian.com/apps/1211644/questions-for-confluence?hosting=server&tab=overview] is enabled on Confluence Server or Data Center, it creates a Confluence user account with the username {{{}disabledsystemuser{}}}. This account is intended to aid administrators that are migrating data from the app to Confluence Cloud. The {{disabledsystemuser}} account is created with a hardcoded password and is added to the {{confluence-users}} group, which allows viewing and editing all non-restricted pages within Confluence [by default|https://confluence.atlassian.com/doc/confluence-groups-139478.html]. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence.
The {{disabledsystemuser}} account is configured with a third party email address ({{{}[email protected]{}}}) that is not controlled by Atlassian. If this vulnerability has not been remediated per the Fixes section below, an affected instance configured to send [notifications|https://confluence.atlassian.com/doc/email-notifications-145162.html] will email that address. One example of an email notification is [Recommended Updates Notifications|https://confluence.atlassian.com/doc/configuring-the-recommended-updates-email-notification-281480712.html], which contains a report of the top pages from Confluence spaces the user has permissions to view. mail.com, the free email provider that manages the {{[email protected]}} account, has confirmed to Atlassian that the account has been blocked. This means it cannot be accessed by anyone unauthorized and cannot send or receive any new messages.
(!) An external party has discovered and publicly disclosed the hardcoded password on Twitter. Refer to the Remediation section below for guidance on how to remediate this vulnerability.
h3. How To Determine If You Are Affected
A Confluence Server or Data Center instance is affected if it has an active user account with the following information:
If this account does not show up in the list of active users, the Confluence instance is not affected.
h3. Remediation
(!) Uninstalling the Questions for Confluence app does not remediate this vulnerability. The {{disabledsystemuser}} account does not automatically get removed after the app has been uninstalled. If you have verified a Confluence Server or Data Center instance is affected, two equally effective ways to remediate this vulnerability are listed below. (!)
h4. Option 1: Update to a non-vulnerable version of Questions for Confluence
Update the Questions for Confluence app to a fixed version:
For more information on how to update an app, refer to [Atlassian’s documentation|https://confluence.atlassian.com/upm/updating-apps-273875710.html].
Fixed versions of the Questions for Confluence app stop creating the {{disabledsystemuser}} user account, and remove it from the system if it has already been created. Migrating data from the app to Confluence Cloud is now a manual process.
(!) If Confluence is configured to use a read-only external directory (e.g. Atlassian Crowd), you will need to follow Option 2 below.
h4. Option 2: Disable or delete the {{disabledsystemuser}} account
Search for the {{disabledsystemuser}} account and either disable it or delete it. For instructions on how to disable or delete an account (including an explanation of the differences between the two options), refer to [Atlassian’s documentation|https://confluence.atlassian.com/doc/delete-or-disable-users-138318.html].
If you choose to delete the {{disabledsystemuser}} account, you must also [uninstall|https://confluence.atlassian.com/upm/uninstalling-apps-273875709.html] or upgrade the Questions for Confluence app to a non-vulnerable version. Failure to do this could result in the account being recreated after it has been deleted.
If Confluence is configured to use a read-only external directory, refer to the [Delete from a read-only external directory, or multiple external directories section|https://confluence.atlassian.com/doc/delete-or-disable-users-138318.html#DeleteorDisableUsers-Deletefromaread-onlyexternaldirectory,ormultipleexternaldirectories] from the same document
h3. Frequently Asked Questions
We’ll update the [FAQ for CVE-2022-26138|https://confluence.atlassian.com/kb/faq-for-cve-2022-26138-1141988423.html] with answers for commonly asked questions.
h3. Security Advisory
For additional details, refer to [Confluence Security Advisory 2022-07-20|https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html].
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.973 High
EPSS
Percentile
99.8%