- Disabledsystemuser account created by the Questions for Confluence app allows attackers to steal credentials.
- Stealing the hardcoded credentials allows attackers to log into Confluence Server and Data Center.
- Users can fix the issue by applying the patched versions or by disabling or deleting the disabledsystemuser account.
Atlassian announced that the company has patched a vulnerability that allows attackers to steal hardcoded credentials in Confluence Server and Data Center. Once the credentials are leaked, the unauthenticated attackers can log into these servers. These credentials are added after installing the Questions for Confluence app with the username “disabledsystemuser”, which is installed on more than 8,000 servers.
The vulnerability, tracked as CVE-2022-26138, affects Questions for Confluence versions 2.7.34, 2.7.35, and 3.0.2. The company stated that they have reports stating that the vulnerability is currently being exploited in the wild. According to the advisory published, a Confluence Server or Data Center instance is affected if it has an active user account with the following information:
- User: disabledsystemuser
- Username: disabledsystemuser
- Email: [email protected]
If this account does not show up in the list of active users, the Confluence instance is not affected. Uninstalling the Questions for Confluence app doesn’t mitigate the vulnerability. Users can search for the disabledsystemuser account and then disable or delete it to prevent attacks. Users can also update to version 2.7.38 (compatible with Confluence 6.13.18 through 7.16.2) or version 3.0.5 (compatible with Confluence 7.16.3 and later) to fix the issue.
In fixed versions, the Questions for Confluence app doesn’t create disabledsystemuser user account and removes it from the system if it is already created.