Hardcoded Password in Confluence App Has Been Leaked on Twitter
upstart writes:
Hardcoded password in Confluence app has been leaked on Twitter:
What's worse than a widely used Internet-connected enterprise app with a hardcoded password? Try said enterprise app after the hardcoded password has been leaked to the world.
Atlassian on Wednesday revealed three critical product vulnerabilities, including CVE-2022-26138 stemming from a hardcoded password in Questions for Confluence, an app that allows users to quickly receive support for common questions involving Atlassian products. The company warned the passcode was "trivial to obtain."
The company said that Questions for Confluence had 8,055 installations at the time of publication. When installed, the app creates a Confluence user account named disabledsystemuser, which is intended to help admins move data between the app and the Confluence Cloud service. The hardcoded password protecting this account allows for viewing and editing of all non-restricted pages within Confluence.
"A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to," the company said. "It is important to remediate this vulnerability on affected systems immediately."
A day later, Atlassian was back to report that "an external party has discovered and publicly disclosed the hardcoded password on Twitter," leading the company to ratchet up its warnings.
"This issue is likely to be exploited in the wild now that the hardcoded password is publicly known," the updated advisory read. "This vulnerability should be remediated on affected systems immediately."
Read more of this story at SoylentNews.