CISA warns of hard-coded bug in Atlassian Confluence that has been exploited in attacks


The US Cybersecurity and Infrastructure Security Agency (CISA) on Friday added the recently revealed Atlassian vulnerability in the catalog of known exploits of vulnerabilities, based on evidence of active exploitation.

The vulnerability, tracked as CVE-2022-26138, involves the use of hard-coded credentials when the Questions For Confluence app is enabled in Confluence Server and Data Center instances.

“An unauthenticated remote attacker could use these credentials to login to Confluence and access any content accessible to users in the confluence users group,” CISA notes in his opinion.

Depending on the page limitations and the information a company has in Confluence, successful exploitation of the deficiency could lead to the disclosure of sensitive information.

Although the bug was addressed last week by software company Atlassian in versions 2.7.38 and 3.0.5, it has been actively exploited ever since, cybersecurity firm Rapid7 announced this week.

“Exploitation efforts don’t seem to be very widespread at this point, although we expect that to change,” Erick Galinkin, lead researcher on AI at Rapid7, told The Hacker News.

“The good news is that the vulnerability is in the Questions for Confluence app and not in Confluence itself, which significantly reduces the attack surface.”

Now that the flaw has been added to the catalog, the US Federal Civilian Executive Branch (FCEB) is required to apply patches by August 19, 2022 to reduce their exposure to cyber-attacks.

“At this point, the vulnerability has been public for a relatively short time,” Galinkin noted. “Combined with the absence of meaningful post-exploitation activities, we have not yet attributed any threat actors to the attacks.”