Under certain conditions, attackers could attack Atlassian Confluence Server and Data Center. The security risk is considered critical.
Atlassian’s Confluence Server and Data Center wiki software are vulnerable. Confluence Cloud is not affected by the vulnerability, the developers assure.
However, systems are only vulnerable if the Q&A application Questions for Confluence app is installed. If this is the case, the app for Confluence Server and Data Center automatically creates an account with the username “disabledsystemuser”. A standard password is assigned when it is created, which attackers could obtain with comparatively little effort.
Equipped with this, they could access all unrestricted pages of a wiki by default. In a warning, the developers classify the vulnerability (CVE-2022-26138) as “critical” a. Atlassian assures that they have not observed any attacks so far.
Admins should check in their Confluence installations whether an account with the following data exists:
- User: disabledsystemuser
- Username: disabledsystemuser
- Email: email@example.com
If so, they should act. The versions Questions for Confluence 2.7.34, 2.7.35 and 3.0.2 are specifically affected.
Uninstalling the application does not solve the security problem since the account remains. To secure systems, admins need the repaired Issue 7/2/38 or 3.0.5 to install. Alternatively, you can deactivate or remove the account.
By looking at the list of registered users, one can check whether attackers have already exploited the vulnerability. The developers describe how this works in an article.