A crucial Atlassian Confluence vulnerability that was disclosed final week is now being actively exploited within the wild, researchers are warning.
Based on researchers at Rapid7, the bug in query (CVE-2022-26138, one of three patched last week) is because of a hardcoded password within the Questions for Confluence app, which might enable cyberattackers to realize full entry to knowledge inside the on-premises Confluence Server and Confluence Information Heart platforms.
Extra particularly, as soon as put in, the Questions for Confluence app will “create a person account with a hard-coded password and add the account to a person group, which permits entry to all nonrestricted pages in Confluence,” in response to Rapid7’s posting. “This simply permits a distant, unauthenticated attacker to browse a company’s Confluence occasion.”
The stakes are excessive. Many organizations use Confluence for mission administration and collaboration amongst groups scattered throughout on-premises and distant places. Usually Confluence environments can home delicate knowledge on initiatives that a company is likely to be engaged on, or home it on its prospects and companions.
Organizations are urged to patch rapidly as a result of the password was made public final week, prompting emergency motion by Atlassian. Confluence is sadly a well-liked goal for attackers, as evidenced by the active exploitation of the bug tracked as CVE-2022-26134 in June, used to unfold ransomware.
Admins ought to word: The bug solely exists when the Questions for Confluence app is enabled, and it doesn’t affect the Confluence Cloud occasion. Nonetheless, crucially, “uninstalling the Questions for Confluence app doesn’t remediate this vulnerability,” in response to Atlassian’s advisory final week.
“Confluence has had no scarcity of headlines,” Rick Holland, CISO at Digital Shadows, stated by way of electronic mail. “Hardcoded passwords considerably enhance the probability of exploitation, particularly when the passwords develop into broadly shared. In case you play soccer, hardcoded passwords are ‘personal targets.’ Adversaries rating sufficient targets alone; we need not put the ball in our personal web. By no means use hardcoded passwords; take the time to arrange correct authentication and decrease future dangers.”