Twitter leaked hardcoded password in Confluence app


Written by admin



Getty Images

What could be worse than a widely used corporate application connected to the Internet with a hard-coded password? Try the mentioned enterprise application after the hardcoded password has become known to the world.

On Wednesday, Atlassian identified three critical product vulnerabilities, including CVE-2022-26138 related to a hard-coded password in Questions for Confluence, an application that allows users to quickly get support for common questions regarding Atlassian products. The company warned that the password is “easy to get”.

The company said that at the time of publication, Questions for Confluence had 8,055 installs. Once installed, the app creates a Confluence user account named disabledsystemuser, which is designed to help administrators move data between the app and the Confluence cloud service. The hard-coded password protecting this account allows you to view and edit all unlimited pages in Confluence.

“An unauthenticated remote attacker who knows the hardcoded password could use this to log into Confluence and access any pages that the confluence user group has access to,” the company said. “It is important to address this vulnerability on affected systems immediately.”

A day later, Atlassian returned to report that “an outside party discovered and publicly disclosed a hard-coded Twitter password,” prompting the company to step up its warnings.

“This issue is likely to be exploited in the wild now that the hardcoded password has become public knowledge,” the updated bulletin says. “This vulnerability should be addressed immediately on affected systems.”

The company has warned that even if Confluence installations do not have the application actively installed, they may still be vulnerable. Removing the application does not automatically fix the vulnerability because the disabledsystemuser account may still be on the system.

To find out if the system is vulnerable, Atlassian advised Confluence users to look for accounts with the following information:

  • User: disabledsystemuser
  • Username: disabledsystemuser
  • Email address:

Atlassian has provided additional instructions for finding these accounts here. The vulnerability affects issues for Confluence versions 2.7.x and 3.0.x. Atlassian has provided customers with two ways to resolve this issue: disable or remove the “disabledsystemuser” account. The company has also published this list of answers to frequently asked questions.

Confluence users who need proof of exploitation can check the last authentication time for disabledsystemuser by following the instructions here. If the result is null, the account exists on the system, but no one has yet signed in with it. The commands also show all recent login attempts that were successful or unsuccessful.

“Now that patches have been released, it can be expected that patching and reverse engineering efforts will create a public POC in a fairly short time frame,” Casey Ellis, founder of vulnerability reporting service Bugcrowd, wrote in a direct message. “Atlassian stores need to start fixing public products immediately and those behind a firewall as soon as possible. The comments in the bulletin recommending not to use proxy filtering as a mitigation suggest that there are multiple pathways.

Two other vulnerabilities reported by Atlassian on Wednesday are also serious and affect the following products:

  • Bamboo server and data center
  • Bitbucket server and datacenter
  • Confluence Server and Data Center
  • Crowd server and data center
  • Crucible
  • Fish eye
  • Jira server and data center
  • Jira Service Management Server and Data Center

Tracked as CVE-2022-26136 and CVE-2022-26137, these vulnerabilities allow unauthenticated remote hackers to bypass servlet filters used by native and third-party applications.

“The impact depends on which filters are used by each application and how those filters are used,” the company said. “Atlassian has released updates that address the root cause of this vulnerability, but did not exhaustively list all of the potential impacts of this vulnerability.”

Vulnerable Confluence servers have long been a favorite place for hackers to install ransomware, cryptominers, and other forms of malware. The vulnerabilities discovered by Atlassian this week are serious enough that administrators should prioritize a thorough check of their systems, ideally before the weekend.

#Twitter #leaked #hardcoded #password #Confluence #app



About the author


Leave a Comment