CVE-2022-26138

Published on: Not Yet Published

Last Modified on: 08/04/2022 02:13:00 PM UTC

CVE-2022-26138

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Certain versions of Confluence Data Center from Atlassian contain the following vulnerability:

The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.

CVE-2022-26138 has been assigned by [email protected] to track the vulnerability - currently rated as CRITICAL severity.
Affected Vendor/Software: Atlassian - Questions For Confluence version = 2.7.34
Affected Vendor/Software: Atlassian - Questions For Confluence version = 2.7.35
Affected Vendor/Software: Atlassian - Questions For Confluence version = 3.0.2

CVSS3 Score: 9.8 - CRITICAL

Attack Vector ^ⓘ	Attack Complexity	Privileges Required	User Interaction
NETWORK	LOW	NONE	NONE
Scope	Confidentiality Impact	Integrity Impact	Availability Impact
UNCHANGED	HIGH	HIGH	HIGH

CVE References

Description	Tags ^ⓘ	Link
Questions For Confluence Security Advisory 2022-07-20 \| Confluence Data Center and Server 7.18 \| Atlassian Documentation	confluence.atlassian.com text/html	MISC confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html
[CONFSERVER-79483] Questions For Confluence App - Hardcoded Password - Create and track feature requests for Atlassian products.	jira.atlassian.com text/html	MISC jira.atlassian.com/browse/CONFSERVER-79483

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].

Related QID Numbers

150556 Atlassian Confluence Server and Data Center : Questions for Confluence App - Hardcoded Credentials (CVE-2022-26138)
730569 Atlassian Confluence Server and Confluence Data Center - Questions For Confluence App - Hardcoded Password Vulnerability (CONFSERVER-79483)

Known Affected Configurations (CPE V2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Atlassian	Confluence Data Center	-	All	All	All
Application	Atlassian	Confluence Server	-	All	All	All
Application	Atlassian	Questions For Confluence	2.7.34	All	All	All
Application	Atlassian	Questions For Confluence	2.7.35	All	All	All
Application	Atlassian	Questions For Confluence	3.0.2	All	All	All

cpe:2.3:a:atlassian:confluence_data_center:-:*:*:*:*:*:*:*:
cpe:2.3:a:atlassian:confluence_server:-:*:*:*:*:*:*:*:
cpe:2.3:a:atlassian:questions_for_confluence:2.7.34:*:*:*:*:*:*:*:
cpe:2.3:a:atlassian:questions_for_confluence:2.7.35:*:*:*:*:*:*:*:
cpe:2.3:a:atlassian:questions_for_confluence:3.0.2:*:*:*:*:*:*:*:

No vendor comments have been submitted for this CVE

Social Mentions

Source	Title	Posted (UTC)
@CVEreport	CVE-2022-26138 : The #Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Conflu… twitter.com/i/web/status/1…	2022-07-20 17:31:27
@8C_8B	CVE-2022-26138, CVE-2022-26136 & CVE-2022-26137 Atlassian is messing hard with my after work hours. :( If you use C… twitter.com/i/web/status/1…	2022-07-20 20:44:25
@rheijdendael	CVE-2022-26138 and CVE-2022-26137	2022-07-20 21:44:22
@fluepke	Discovered by a fried of mine: CVE-2022-26138: A remote, unauthenticated attacker with knowledge of the hardcoded… twitter.com/i/web/status/1…	2022-07-20 23:00:44
@nluedtke1	Tracking CVE-2022-26138, because we are still using hard coded passwords in 2022…in any event you have removed your… twitter.com/i/web/status/1…	2022-07-20 23:16:49
@ipssignatures	I know no IPS that has a protection/signature/rule for the vulnerability CVE-2022-26138. The vuln was published 0 d… twitter.com/i/web/status/1…	2022-07-21 00:04:01
@ipssignatures	The vuln CVE-2022-26138 has a tweet created 0 days ago and retweeted 7 times. twitter.com/fluepke/status… #Sm2c5msijkbtjm	2022-07-21 00:04:01
@ipssignatures	The vuln CVE-2022-26138 has a tweet created 0 days ago and retweeted 11 times. twitter.com/fluepke/status… #pow1rtrtwwcve	2022-07-21 02:06:00
@the_yellow_fall	CVE-2022-26138: Hard-Coded Password Confluence Server and Data Center securityonline.info/cve-2022-26138… #opensource #infosec #security #pentesting	2022-07-21 03:21:50
@AcooEdi	CVE-2022-26138: Hard-Coded Password Confluence Server and Data Center dlvr.it/SVFBQM via securityonline https://t.co/QIt9MIe643	2022-07-21 03:22:36
@netsecu	api.follow.it/track-rss-stor… CVE-2022-26138: Hard-Coded Password Confluence Server and Data Center #cybersecurity	2022-07-21 07:25:04
@lucianot54	"CVE-2022-26138: Hard-Coded Password Confluence Server and Data Center" via Penetration Testing ift.tt/W0H2dFD	2022-07-21 07:44:25
@martinsegur	I'm shocked that anyone would still use hard-coded passwords. ? @Atlassian cve.org/CVERecord?id=C…	2022-07-21 07:44:39
@CSAsingapore	Atlassian has released a security update to address a critical vulnerability (CVE-2022-26138) in their Confluence S… twitter.com/i/web/status/1…	2022-07-21 08:00:03
@SG_Alerts	[Notice-CSA] Atlassian has released a security update to address a critical vulnerability (CVE-2022-26138) in their… twitter.com/i/web/status/1…	2022-07-21 08:00:32
@GossiTheDog	Neat find in CVE-2022-26138 If you installed Atlassian Questions For Confluence (vendor official plugin) it create… twitter.com/i/web/status/1…	2022-07-21 08:10:37
@ColorTokensInc	Emerging Vulnerability Found CVE-2022-26138 - The Atlassian Questions For Confluence app for Confluence Server and… twitter.com/i/web/status/1…	2022-07-21 08:17:07
@ImposeCost	CVE-2022-26138... also, follow this account. twitter.com/nluedtke1/stat…	2022-07-21 08:24:02
@theluemmel	I am not shocked anymore :) Confluence Questions hardcoded creds for user CVE-2022-26138 https://t.co/PE31la08E3	2022-07-21 08:38:22
@S0ufi4n3	Seriously CVE-2022-26138 -_- https://t.co/Zio6MSsvvA	2022-07-21 09:06:57
@ImposeCost	If you look at something like CVE-2022-26138, further restricting spaces and pages internally would provide some ad… twitter.com/i/web/status/1…	2022-07-21 09:55:08
@ipssignatures	The vuln CVE-2022-26138 has a tweet created 0 days ago and retweeted 10 times. twitter.com/nluedtke1/stat… #pow1rtrtwwcve	2022-07-21 10:06:00
@Scott_London	Top story: @fluepke: 'Discovered by a fried of mine: CVE-2022-26138: A remote, unauthenticated attacker with knowl… twitter.com/i/web/status/1…	2022-07-21 10:42:13
@cKure7	■■■■□ CVE-2022-26138: A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit thi… twitter.com/i/web/status/1…	2022-07-21 11:13:51
@cyb3rops	Filename IOCs & YARA rule to scan for the vulnerable #Confluence Questions plugins CVE-2022-26138 Filename Pattern… twitter.com/i/web/status/1…	2022-07-21 11:51:25
@audrastreetman	CVE-2022-26138: #Confluence server/data center instances with the Questions for Confluence plug-in creates a disabl… twitter.com/i/web/status/1…	2022-07-21 12:04:15
@ipssignatures	The vuln CVE-2022-26138 has a tweet created 0 days ago and retweeted 169 times. twitter.com/fluepke/status… #pow2rtrtwwcve	2022-07-21 12:06:00
@infowaropcenter	Top story: @fluepke: 'Discovered by a fried of mine: CVE-2022-26138: A remote, unauthenticated attacker with knowl… twitter.com/i/web/status/1…	2022-07-21 12:51:26
@CVEtrends	Top 3 trending CVEs on Twitter Past 24 hrs: CVE-2022-26138: 2.4M (audience size) CVE-2022-20857: 1.2M CVE-2022-208… twitter.com/i/web/status/1…	2022-07-21 13:00:03
@susession	Trending News: @fluepke: 'Discovered by a fried of mine: CVE-2022-26138: A remote, unauthenticated attacker with k… twitter.com/i/web/status/1…	2022-07-21 13:02:29
@DukeNukm	Top story: @fluepke: 'Discovered by a fried of mine: CVE-2022-26138: A remote, unauthenticated attacker with knowl… twitter.com/i/web/status/1…	2022-07-21 13:23:43
@SritaKaren	#Cybersecurity #InfoSec #hacking @fluepke: 'Discovered by a fried of mine: CVE-2022-26138: A remote, unauthenticat… twitter.com/i/web/status/1…	2022-07-21 13:27:24
@BhaavukAroraa	Top story: @fluepke: 'Discovered by a fried of mine: CVE-2022-26138: A remote, unauthenticated attacker with knowl… twitter.com/i/web/status/1…	2022-07-21 13:27:26
@cyb3rops	#Confluence Backdoor CVE-2022-26138 https://t.co/f4okvf0HKo	2022-07-21 14:03:35
@ipssignatures	The vuln CVE-2022-26138 has a tweet created 0 days ago and retweeted 20 times. twitter.com/cyb3rops/statu… #pow1rtrtwwcve	2022-07-21 14:06:00
@wollud1969	@Jira @Atlassian , when will you provide a Docker image for Jira 8.20.10 addressing CVE-2022-26138 and CVE-2022-261… twitter.com/i/web/status/1…	2022-07-21 14:32:03
@Har_sia	CVE-2022-26138 har-sia.info/CVE-2022-26138… #HarsiaInfo	2022-07-21 15:00:12
@psrvice	@fluepke: 'Discovered by a fried of mine: CVE-2022-26138: A remote, unauthenticated attacker with knowledge of the… twitter.com/i/web/status/1…	2022-07-21 15:06:22
@thinksnews	Top story: @fluepke: 'Discovered by a fried of mine: CVE-2022-26138: A remote, unauthenticated attacker with knowl… twitter.com/i/web/status/1…	2022-07-21 15:06:26
@r45c4l	Top story: @fluepke: 'Discovered by a fried of mine: CVE-2022-26138: A remote, unauthenticated attacker with knowl… twitter.com/i/web/status/1…	2022-07-21 15:32:25
@Pentest101MX	#ITSecurity #ITSec @fluepke: 'Discovered by a fried of mine: CVE-2022-26138: A remote, unauthenticated attacker wi… twitter.com/i/web/status/1…	2022-07-21 15:40:50
@Higgsb101	Top story: @fluepke: 'Discovered by a fried of mine: CVE-2022-26138: A remote, unauthenticated attacker with knowl… twitter.com/i/web/status/1…	2022-07-21 17:09:45
@H4ckManac	#DailyHackManac Top story: @fluepke: 'Discovered by a fried of mine: CVE-2022-26138: A remote, unauthenticated att… twitter.com/i/web/status/1…	2022-07-21 17:17:44
@ipssignatures	The vuln CVE-2022-26138 has a tweet created 0 days ago and retweeted 116 times. twitter.com/GossiTheDog/st… #pow2rtrtwwcve	2022-07-21 18:06:00
@TomLawrenceTech	The hard coded creds, tracked as CVE-2022-26138, arises when the app in question is enabled on either of two servic… twitter.com/i/web/status/1…	2022-07-21 18:11:32
@_SaxX_	That's what we call an easter egg CVE-2022-26138 #Atlassian #cve #facepalm #Confluence #defaultloginpassword twitter.com/fluepke/status…	2022-07-21 19:13:37
@heimdallish	Atlassian Confluence possui uma vulnerabilidade crítica CVE-2022-26138 que permite a visualização e edição de págin… twitter.com/i/web/status/1…	2022-07-21 19:20:13
@ipssignatures	The vuln CVE-2022-26138 has a tweet created 0 days ago and retweeted 10 times. twitter.com/8C_8B/status/1… #pow1rtrtwwcve	2022-07-21 20:06:01
/r/netcve	CVE-2022-26138	2022-07-20 18:38:30
/r/hypeurlsposts	Confluence vulnerability CVE-2022-26138 allows attackers to gain complete access to data	2022-07-29 05:18:20
/r/devopsish	Active Exploitation of Atlassian’s Questions for Confluence App CVE-2022-26138 \| Rapid7 Blog	2022-07-29 17:36:57
/r/cybersecurity	CISA warns of critical Confluence bug (CVE-2022-26138) exploited in attacks	2022-08-01 07:09:22