Get Mystery Box with random crypto!

There has been a lot of news about Confluence vulnerabilities | Vulnerability Management and more

There has been a lot of news about Confluence vulnerabilities this week. Atlassian has released three of them.

CVE-2022-26136 & CVE-2022-26137: Multiple Servlet Filter vulnerabilities (Authentication bypass, XSS, Cross-origin resource sharing bypass). Many Atlassian products are vulnerable. Not only Confluence and JIRA, but also Bitbucket for example. Everything is clear here, such installations need to be patched. And, ideally, it's time to stop using Atlassian products if you live and work in certain locations, because this vendor is unstable.

CVE-2022-26138: Hardcoded password in Confluence Questions. This vulnerability is now the most hyped and ridiculous. If you install the optional Confluence Questions app, this will create a disabledsystemuser user with a hardcoded password. And this user is not disabled! The password is already publicly available. If you are logged in as this user, you can read the pages accessible by the confluence-users group. Well, isn't it funny? This can be fixed by patching or blocking/deleting the user.

What can be said here:
1. Plugins and extensions are evil and usually the most vulnerable. Try to avoid them.
2. This is how backdoors in software can look like. The exploitation is very simple, and the vendor can always say that "oh, sorry, that was a bug".
3. Those who make Confluence and similar services available on the network perimeter are their own enemies.

Версия на русском

@avleonovcom #VMnews #Atlassian #Confluence