Last month, we learned that there is a critical remote code execution (RCE) flaw in Atlassian Confluence affecting all non-cloud versions of Confluence Server and Data Center. Although the company was quick to fix the flaw, a new one has now cropped up. The latest issue is very trivial to exploit and that's because it involves using default credentials to gain access to the system.
Case in point is the Questions for Confluence app enabled on Confluence Server and Data Center. It basically creates a default user with a hardcoded username ("disabledsystemuser") and password, which is then added to the confluence-users group. This group has view and edit access over all non-restricted Confluence pages by default. Essentially, someone who downloads an affected version of the app and reviews it can see the password and then remotely access your Confluence without being authenticated.
Why is a hardcoded user account created in the first place, you ask? According to Atlassian, the purpose was to allow admins to easily migrate data from the app to the Confluence Cloud. It's clear that the company didn't foresee how it could be misused.
Since this is a very trivial vulnerability to exploit with potentially severe negative impacts, Atlassian has awarded it a "critical" level of severity. You are affected if your Confluence directory has a user created with the following credentials:
- User: disabledsystemuser
- Username: disabledsystemuser
- Email: firstname.lastname@example.org
Companies with Questions for Confluence version 2.7.x and 3.0.x are definitely affected, and others may be impacted too. As usual, Confluence Cloud customers are unaffected.
For its part, Atlassian has already rolled out the following patched versions of Questions for Confluence:
- 2.7.x >= 2.7.38 (compatible with Confluence 6.13.18 through 7.16.2)
- Versions >= 3.0.5 (compatible with Confluence 7.16.3 and later)
It has also urged organizations to immediately delete or disable the disabledsystemuser account. Although the vendor hasn't detected signs of exploitation in the wild yet, Confluence admins should follow this guide to triage independently. The security flaw is being tracked as CVE-2022-26138 here.