Lucene search

K
nessusThis script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.WEB_APPLICATION_SCANNING_113328
HistoryAug 08, 2022 - 12:00 a.m.

Atlassian Questions For Confluence 2.7.34 / 2.7.35 / 3.0.2 Hardcoded Credentials

2022-08-0800:00:00
This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
29

The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group.

Uninstalling the Questions for Confluence app does not remediate this vulnerability. The account does not automatically get removed after the app has been uninstalled.

No source data
VendorProductVersion
aatlassianconfluence