[German]Confluence released Security Advisory 2022-07-20 on July 20, and updated it today. The security advisory addresses Confluence accounts with hardcoded credentials created by Questions for Confluence. This affects the Confluence app for Confluence Server and Confluence Data Center.
Advertising
When the Questions for Confluence app is enabled on Confluence Server or Data Center, the app creates a Confluence user account with the username disabledsystemuser. This account is intended for administrators migrating data from the app to Confluence Cloud.
The disabledsystemuser account is created with a hard-coded password and added to the confluence-users group. By default, the group allows viewing and editing of all unrestricted pages in Confluence. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all pages to which the confluence-users group has access.
This hardcoded password vulnerability was discovered by an external security researcher and disclosed on Twitter. Confluence classifies the vulnerability as critical. Since the hardcoded password is now publicly known, it is likely that this issue will be exploited in the wild. This vulnerability should be fixed immediately on affected systems. Confluence Server or Data Center instances are affected if this has an active user account with the following information:
User: disabledsystemuser
Username: disabledsystemuser
Email: dontdeletethisuser@email.com
It is possible for this account to exist if the Questions for Confluence app was previously installed and uninstalled. The following app versions are affected:
Advertising
- Questions for Confluence 2.7.34 und 2.7.35 und 3.0.2
Questions for Confluence 2.7.34 and 2.7.35 and 3.0.2.
Confluence has provided updated versions of the app. In addition, user accounts can be disabled and deleted. For details on how to fix this vulnerability, see Security Advisory 2022-07-20.
Advertising
