Lucene search

K
nvd[email protected]NVD:CVE-2022-26138
HistoryJul 20, 2022 - 6:15 p.m.

CVE-2022-26138

2022-07-2018:15:08
CWE-798
web.nvd.nist.gov
7
atlassian
confluence
hardcoded
password
vulnerability
group creation

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.972

Percentile

99.9%

The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.

Affected configurations

Nvd
Node
atlassianquestions_for_confluenceMatch2.7.34
OR
atlassianquestions_for_confluenceMatch2.7.35
OR
atlassianquestions_for_confluenceMatch3.0.2
AND
atlassianconfluence_data_centerMatch-
OR
atlassianconfluence_serverMatch-

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.972

Percentile

99.9%