Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2022-26138
CVE-2022-26138:
Questions for Confluence vulnerability analysis and mitigation
Overview
CVE-2022-26138 is a critical vulnerability discovered in the Questions for Confluence app affecting Confluence Server and Data Center instances. The vulnerability was disclosed on July 20, 2022, and involves a hardcoded password issue where the app creates a Confluence user account with the username 'disabledsystemuser' that has access to view and edit all non-restricted pages within Confluence by default (Atlassian Advisory).
Technical details
When the Questions for Confluence app is enabled, it creates a user account with hardcoded credentials intended for data migration to Confluence Cloud. The account is automatically added to the confluence-users group with default permissions to view and edit non-restricted pages. The vulnerability affects Questions for Confluence versions 2.7.34, 2.7.35, and 3.0.2. The severity is rated as critical with a CVSS score of 8.6 (NVD, Atlassian Advisory).
Impact
A remote, unauthenticated attacker with knowledge of the hardcoded password can exploit this vulnerability to log into Confluence and access any pages the confluence-users group has access to. Additionally, affected instances may send email notifications containing sensitive information to a third-party email address not controlled by Atlassian (Atlassian Advisory).
Mitigation and workarounds
Two remediation options are available: 1) Update the Questions for Confluence app to fixed versions (2.7.38 or later for 2.7.x series, or 3.0.5 or later), or 2) Disable or delete the disabledsystemuser account. Important to note that simply uninstalling the app does not remediate the vulnerability. For systems using read-only external directories, only the second option is viable (Atlassian Advisory).
Community reactions
The vulnerability gained significant attention after the hardcoded credentials were leaked on Twitter, leading to increased exploitation attempts. CISA issued an alert encouraging users and administrators to apply the necessary updates immediately due to the likelihood of exploitation in the wild (CISA Alert).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management