Atlassian introduces security patch to critical confluence risks

Atlassian has rolled out fixes to fix a critical vulnerability related to the use of encrypted credentials affecting the Questions For Confluence app for Confluence Server and Confluence Data Center.

bug tracker CVE-2022-26138arises when the application in question is enabled on either service, causing a Confluence user account to be created with the username ‘System Override’.

While this account, Atlassian says, is intended to help administrators migrate data from the app to Confluence Cloud, it’s also created with an encrypted password, effectively allowing all unrestricted pages within Confluence to be viewed and edited by default.

cyber security

“An unauthenticated remote attacker with knowledge of the encrypted password could exploit this to log into Confluence and access any pages that a convergence user group can access,” the company said in an advisory, adding that “the encrypted password is simple to obtain after downloading and reviewing Affected versions of the app.

Questions for versions 2.7.34, 2.7.35, and 3.0.2 are affected by the bug, with fixes available in versions 2.7.38 and 3.0.5. Alternatively, users can disable or delete the disabled system user account.

While Atlassian noted that there is no evidence of active exploitation of the bug, users can look for indicators of compromise by checking the account’s last authentication time. “If the last authentication time of the disabled system user is blank, then the account exists but no one is logged into it,” she said.

Separately, the Australian software company has also moved to patch a pair of critical flaws, which it calls servlet filter dispatcher vulnerabilities, affecting several products –

  • Bamboo server and data center
  • Bitbucket server and data center
  • Confluence server and data center
  • Crowd server and data center
  • Fish eye and the crucible
  • Jira server and data center, and
  • Jira Service Management Server and Data Center
cyber security

The successful exploit, traced as CVE-2022-26136 and CVE-2022-26137, can enable an unauthenticated remote attacker to bypass authentication used by third-party applications, execute arbitrary JavaScript code, and circumvent Cross-Source Resource Sharing (CORS) via Browser mechanism by sending a specially crafted HTTP request.

In its advisory regarding CVE-2022-26137, the company warned: “Atlassian has released updates that fix the root cause of this vulnerability, but have not comprehensively listed all of the potential consequences of this vulnerability.”

Leave a Reply

%d bloggers like this: