Security News > 2022 > July > Atlassian fixes critical Confluence hardcoded credentials flaw
Atlassian has patched a critical hardcoded credentials vulnerability in Confluence Server and Data Center that could let remote, unauthenticated attackers log into vulnerable, unpatched servers.
According to Atlassian, the app helps improve communication with the organization's internal Q&A team and is currently installed on over 8,000 Confluence servers.
"The disabledsystemuser account is created with a hardcoded password and is added to the confluence-users group, which allows viewing and editing all non-restricted pages within Confluence by default," the company explained in a security advisory published on Wednesday.
"A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to."
To fix the issue until you install the update, Atlassian recommends updating to a patched version of Questions for Confluence or disabling/deleting the disabledsystemuser account.
Updating the Questions for Confluence app to a fixed version will stop creating the problematic user account and remove it if present.