Atlassian has patched a crucial hardcoded credentials vulnerability in Confluence Server and Information Heart that would let distant, unauthenticated attackers log into weak, unpatched servers.
One of the flaws – CVE-2022-26136 – is described as an arbitrary Servlet Filter bypass that means an attacker could send a specially crafted HTTP request to bypass custom Servlet Filters used by third-party apps to enforce authentication.
“Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability,” it added.
The second flaw – CVE-2022-26137 – is a cross-origin resource sharing (CORS) bypass.
Update to a patch version
Admins who want to determine if their servers are affected by this hardcoded credentials security flaw have to check for an active user account with the following info:
- User: disabledsystemuser
- Username: disabledsystemuser
- Email: email@example.com
If this account does not show up in the list of active users, the Confluence instance is not affected.
Updating the Questions for Confluence app to a fixed version (versions 2.7.x >= 2.7.38 or versions higher than 3.0.5) will stop creating the problematic user account and remove it if present.