Confluence hard-coded password flaws fixed with ESOF’s one risk score
Atlassian has carried out fixes to remediate an essential security weakness relating to the utilization of hard-coded certifications influencing the Questions For Confluence application for Confluence Server and Confluence Data Center. It has cautioned clients of its Bamboo, Bitbucket, Confluence, Fisheye, Crucible, and Jira items that some fundamental evaluated defects undermine their security.
What is a Hard-coded password?
Hardcoded Passwords, frequently called Embedded Credentials, are plain text passwords or different mysteries in source code. These passwords allude to inserting plain text (non-encoded) passwords. In addition, privileged insights (SSH Keys, DevOps insider facts, and so forth) into the source code.
Other than this, Default, hardcoded passwords are used across similar gadgets, applications, and frameworks, improving the setup at scale yet presenting significant cybersecurity threats.
Find Hard-coded passwords in:
- Programming applications, both privately introduced and cloud-based
- Other firmware across PCs, BIOS, cell phones, servers, printers, etc.
- Network switches, switches, and other control frameworks
- Web of Things (IoT) gadgets and clinical gadgets
- DevOps devices
Hard-coded passwords are causing critical flaws in companies.
One of the defects – CVE-2022-26136 – is depicted as an inconsistent Servlet Filter sidestep: an aggressor can take advantage of this by sending an exceptionally created HTTP solicitation and bypassing custom Servlet Filters utilized by third-party applications to uphold verification.
The terrifying part is that the defect permits a remote, unofficial hacker to sidestep confirmation utilized by third-party applications. The scary part is that Atlassian doesn’t have a conclusive rundown of applications that could influence. However, the issue is secure on its own, including the third-party applications.
A similar CVE(Common Vulnerabilities and Exposures) can be taken advantage of in a cross-site attack; uniquely producing HTTP solicitation can sidestep the Servlet Filter used to approve real Gadgets.
The second defect is – CVE-2022-26137 – a cross-origin resource sharing (CORS) bypass.
Sending an exceptionally created HTTP solicitation can conjure the Servlet Filter used to answer CORS demands, bringing about a CORS sidestep. An aggressor that can fool a client into mentioning a malicious URL can get to the weak application with the casualty’s consent.
Juncture clients have one more imperfection: CVE-2022-26138 uncovers that one of its Confluence applications has a hard-coded secret phrase set up to help movements to the cloud.
Fix hard-coded password flaws with ESOF VMDR!
ESOF VMDR is the future of cybersecurity here, as it assists you in fixing these types of vulnerabilities. It gives you one risk score for flaws caused by hard-coded passwords in your complete IT stack. Moreover, it enables enterprises to detect vulnerabilities and crucial assets in the network.
In addition, it auto-prioritizes them per the SLA (Service Legal Agreement) metrics. Our product provides application schedule scanning of your applications. With AI-powered cyber-threat intelligence, ESOF detects flaws like hard-coded passwords, which allows cybercriminals to hijack your system.
With ESOF VMDR, you can fix the vulnerabilities present in your systems efficiently, as it provides you with:
- In-depth scanning
- OWASP top 10 vulnerabilities and SANS Top 25 vulnerabilities
- SDLC Embedded with Security
- One Risk Score