Security News > 2022 > July > Atlassian Rolls Out Security Patch for Critical Confluence Vulnerability
Atlassian has rolled out fixes to remediate a critical security vulnerability pertaining to the use of hard-coded credentials affecting the Questions For Confluence app for Confluence Server and Confluence Data Center.
While this account, Atlassian says, is to help administrators migrate data from the app to Confluence Cloud, it's also created with a hard-coded password, effectively allowing viewing and editing all non-restricted pages within Confluence by default.
"A remote, unauthenticated attacker with knowledge of the hard-coded password could exploit this to log into Confluence and access any pages the confluence-users group has access to," the company said in an advisory, adding that "The hard-coded password is trivial to obtain after downloading and reviewing affected versions of the app."
Questions for Confluence versions 2.7.34, 2.7.35, and 3.0.2 are impacted by the flaw, with fixes available in versions 2.7.38 and 3.0.5.
While Atlassian has pointed out that there's no evidence of active exploitation of the flaw, users can look for indicators of compromise by checking the last authentication time for the account.
Separately, the Australian software company also moved to patch a pair of critical flaws, which it calls servlet filter dispatcher vulnerabilities, impacting multiple products -.
News URL
https://thehackernews.com/2022/07/atlassian-releases-patch-for-critical.html
Related news
- Cisco Releases Patch for Critical URWB Vulnerability in Industrial Wireless Systems (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- BeyondTrust Issues Urgent Patch for Critical Vulnerability in PRA and RS Products (source)
- Hackers target critical zero-day vulnerability in PTZ cameras (source)
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- Critical vulnerability in Cisco industrial wireless access points fixed (CVE-2024-20418) (source)
- CISA Alerts to Active Exploitation of Critical Palo Alto Networks Vulnerability (source)
- Setting a security standard: From vulnerability to exposure management (source)
- HPE Issues Critical Security Patches for Aruba Access Point Vulnerabilities (source)
- Patch Tuesday: Four Critical Vulnerabilities Paved Over (source)