Skip to main content
close search
site logo
Dive Brief

Atlassian urges rapid response after Confluence hardcoded password leaked

The company's customers are confronting the second critical vulnerability on Confluence in as many months.

Published July 22, 2022
Matt Kapko's headshot
Senior Reporter
A password field reflected on a eye.
In this photo illustration, an image of a password login dialog box is reflected on the eye of a woman on August 09, 2017 in London. Leon Neal via Getty Images

Dive Brief:

  • Threat actors are likely exploiting a critical vulnerability that surfaced in a pair of Confluence support apps after a hardcoded default password was leaked, Atlassian warned customers in an advisory update on Thursday.
  • The culprit, a default password for admin control on Atlassian’s Questions for Confluence app, allows attackers to gain access to unpatched servers. Atlassian released a patch for the vulnerability and advised all organizations running affected Confluence systems to update the app, disable or delete the default “disabledsystemuser” admin account.
  • The Cybersecurity and Infrastructure Security Agency Friday issued an advisory to alert customers to the latest vulnerability impacting Confluence. “An attacker could exploit this vulnerability to obtain sensitive information,” the agency said.

Dive Insight:

This marks the second critical vulnerability in Atlassian’s Confluence Server and Data Center products in as many months. The company released a security update in early June to patch a critical zero-day vulnerability that attackers could exploit without the need for authentication.

Questions for Confluence, a support app that has been downloaded more than 8,000 times, automatically creates the default username and password to help administrators migrate data from the app to Confluence Cloud. 

Atlassian said an outside party discovered and leaked the hardcoded default password for admin control on Twitter.

The hardcoded password linked to the admin account is added to the confluence-users group upon install, allowing full control over non-restricted pages within Confluence by default, according to Atlassian.

Organizations that previously installed and uninstalled the support app remain vulnerable because the default username and password are added directly to Confluence Server or Data Center. Those admin controls must be manually deleted or disabled, or removed by installing an updated version of the Questions for Confluence app.

Atlassian also encourages customers to search for evidence of exploitation by obtaining a list of users’ logon times. If no authentication time for “disabledsystemuser” is found, the account still exists but has yet to be compromised, the company said.

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
Abbott Laboratories Employees Credit Union (“ALEC”) Data Breach Investigation
From Migliaccio and Rathod LLP
October 21, 2024
Torus Unveils Integrated Energy Storage and AI-Driven Cybersecurity Solutions
From Torus
October 24, 2024
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell