CVE-2022-26138 — AI Deep Analysis Summary

🚨 **Essence**: A hardcoded password flaw in the 'Questions for Confluence' app. 📉 **Consequences**: Attackers gain unauthorized access to enterprise knowledge bases, risking data leaks and system compromise.

🛡️ **CWE-798**: Use of Hard-coded Credentials. 💥 **Flaw**: The app creates a user 'disabledsystemuser' with a static, unchangeable password upon installation.

🏢 **Vendor**: Atlassian. 📦 **Product**: Confluence Server & Data Center. 📱 **Component**: 'Questions for Confluence' App (Versions 2.7.34, 2.7.35, 3.0.2).

👁️ **Privileges**: Remote, unauthenticated login. 📂 **Data**: Access to ALL content in the 'confluence-users' group (view/edit non-restricted pages).

📉 **Threshold**: LOW. 🔓 **Auth**: None required (Unauthenticated). ⚙️ **Config**: Only requires the vulnerable app to be installed/enabled.

🔓 **Exploit**: YES. 📂 **PoC**: Multiple public PoCs available on GitHub (e.g., alcaparra, Vulnmachines, z92g). 🌍 **Wild Exploitation**: High risk due to simple credential usage.

🔍 **Check**: Scan for 'Questions for Confluence' app. 📝 **Test**: Try login with user 'disabledsystemuser' / pass 'disabled1system1user6708'. 🛠️ **Tools**: Use Nuclei templates or custom POC scripts.

✅ **Fixed**: YES. 📅 **Date**: Advisory published 2022-07-20. 🔄 **Action**: Update the 'Questions for Confluence' app to a patched version immediately.

🚫 **Workaround**: Disable or uninstall the 'Questions for Confluence' app if patching isn't possible. 🧹 **Cleanup**: Delete the 'disabledsystemuser' account if it persists.

🔥 **Priority**: HIGH. 🚀 **Urgency**: Critical. ⚠️ **Reason**: Unauthenticated access to sensitive corporate wiki data. Patch immediately!