CVE-2022-26138
Severity CVSS v4.0:
Pending analysis
Type:
CWE-798
Use of Hard-coded Credentials
Publication date:
20/07/2022
Last modified:
14/01/2026
Description
The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:atlassian:questions_for_confluence:2.7.34:*:*:*:*:*:*:* | ||
| cpe:2.3:a:atlassian:questions_for_confluence:2.7.35:*:*:*:*:*:*:* | ||
| cpe:2.3:a:atlassian:questions_for_confluence:3.0.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:atlassian:confluence_data_center:-:*:*:*:*:*:*:* | ||
| cpe:2.3:a:atlassian:confluence_server:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html
- https://jira.atlassian.com/browse/CONFSERVER-79483
- https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html
- https://jira.atlassian.com/browse/CONFSERVER-79483
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26138