Security News > 2022 > July > Atlassian Rolls Out Security Patch for Critical Confluence Vulnerability

Atlassian has rolled out fixes to remediate a critical security vulnerability pertaining to the use of hard-coded credentials affecting the Questions For Confluence app for Confluence Server and Confluence Data Center.

While this account, Atlassian says, is to help administrators migrate data from the app to Confluence Cloud, it's also created with a hard-coded password, effectively allowing viewing and editing all non-restricted pages within Confluence by default.

"A remote, unauthenticated attacker with knowledge of the hard-coded password could exploit this to log into Confluence and access any pages the confluence-users group has access to," the company said in an advisory, adding that "The hard-coded password is trivial to obtain after downloading and reviewing affected versions of the app."

Questions for Confluence versions 2.7.34, 2.7.35, and 3.0.2 are impacted by the flaw, with fixes available in versions 2.7.38 and 3.0.5.

While Atlassian has pointed out that there's no evidence of active exploitation of the flaw, users can look for indicators of compromise by checking the last authentication time for the account.

Separately, the Australian software company also moved to patch a pair of critical flaws, which it calls servlet filter dispatcher vulnerabilities, impacting multiple products -.

News URL

https://thehackernews.com/2022/07/atlassian-releases-patch-for-critical.html