Security News > 2022 > July > Atlassian Rolls Out Security Patch for Critical Confluence Vulnerability
Atlassian has rolled out fixes to remediate a critical security vulnerability pertaining to the use of hard-coded credentials affecting the Questions For Confluence app for Confluence Server and Confluence Data Center.
While this account, Atlassian says, is to help administrators migrate data from the app to Confluence Cloud, it's also created with a hard-coded password, effectively allowing viewing and editing all non-restricted pages within Confluence by default.
"A remote, unauthenticated attacker with knowledge of the hard-coded password could exploit this to log into Confluence and access any pages the confluence-users group has access to," the company said in an advisory, adding that "The hard-coded password is trivial to obtain after downloading and reviewing affected versions of the app."
Questions for Confluence versions 2.7.34, 2.7.35, and 3.0.2 are impacted by the flaw, with fixes available in versions 2.7.38 and 3.0.5.
While Atlassian has pointed out that there's no evidence of active exploitation of the flaw, users can look for indicators of compromise by checking the last authentication time for the account.
Separately, the Australian software company also moved to patch a pair of critical flaws, which it calls servlet filter dispatcher vulnerabilities, impacting multiple products -.
News URL
https://thehackernews.com/2022/07/atlassian-releases-patch-for-critical.html
Related news
- Critical Security Flaw in WhatsUp Gold Under Active Attack - Patch Now (source)
- SonicWall Issues Critical Patch for Firewall Vulnerability Allowing Unauthorized Access (source)
- Fortra Issues Patch for High-Risk FileCatalyst Workflow Security Vulnerability (source)
- Atlassian Confluence Vulnerability Exploited in Crypto Mining Campaigns (source)
- Week in review: Vulnerability allows Yubico security keys cloning, Patch Tuesday forecast (source)
- SolarWinds Issues Patch for Critical ARM Vulnerability Enabling RCE Attacks (source)
- Download: CIS Critical Security Controls v8.1 (source)
- FreeBSD Releases Urgent Patch for High-Severity OpenSSH Vulnerability (source)
- AMD won’t patch Sinkclose security bug on older Zen CPUs (source)
- SolarWinds Releases Patch for Critical Flaw in Web Help Desk Software (source)