Exploitation is underway for one of the trio of critical Atlassian vulnerabilities that were published last week affecting several the company’s on-premises products. Atlassian has been a focus for attackers, as it was less than two months ago that we observed exploitation of CVE-2022-26134 in Confluence Server and Confluence Data Center.
CVE-2022-26138: Hardcoded password in Questions for Confluence app impacting:
Confluence Server
Confluence Data Center
CVE-2022-26136 & CVE-2022-26137: Multiple Servlet Filter vulnerabilities impacting:
Bamboo Server and Data Center
Bitbucket Server and Data Center
Confluence Server and Data Center
Crowd Server and Data Center
Crucible
Fisheye
Jira Server and Data Center
Jira Service Management Server and Data Center
CVE-2022-26138: Hardcoded password in Questions for Confluence app
The most critical of these three is CVE-2022-26138, as it was quickly exploited in the wild once the hardcoded password was released on social media. There is a limiting function here, however, as this vulnerability only exists when the Questions for Confluence app is enabled (and does not impact the Confluence Cloud instance). Once the app is enabled on affected versions, it will create a user account with a hardcoded password and add the account to a user group, which allows access to all non-restricted pages in Confluence. This easily allows a remote, unauthenticated attacker to browse an organization’s Confluence instance. Unsurprisingly, it didn’t take long for Rapid7 to observe exploitation once the hardcoded credentials were released, given the high value of Confluence for attackers who often jump on Confluence vulnerabilities to execut ..
Support the originator by clicking the read the rest link below.
