Atlassian patches batch of critical vulnerabilities across multiple products
Atlassian has fixed three critical vulnerabilities and is urging customers using Confluence, Bamboo, Bitbucket, Crowd, Fisheye and Crucible, Jira and Jira Service Management to update their instances as soon as possible.
Vulnerabilities are tracked as CVE-2022-26138, CVE-2022-26136 and CVE-2022-26137. The first one is especially notable as it appears Atlassian has left a hardcoded username (disabledsystemuser) and a known password, which allows for easy unauthorized privileged access. The affected app is "Questions for Confluence" and Atlassian recommends updating quickly to a patched version or disabling/deleting the disabledsystemuser account.
Read more on all the recent Atlassian vulnerabilities at Help Net Security