Given the following:
-http://confluence.atlassian.com/display/DOC/Confluence+Cookies, which says "a one-way hash of the user's password" is stored in a browser cookie on the user's computer.
-CSP-29692 (case I opened with Atlassian support), which explained that EncryptionUtils.java is used to encrypt the password.
-EncryptionUtils.java, which suggests the password is encrypted using PBEWithMD5AndDES (http://java.sun.com/j2se/1.5.0/docs/guide/security/jce/JCERefGuide.html#AppA)

Confluence unnecessarily stores a user's password on the client machine, and it does so with questionable security.

First, there is never a reason to store a user's password, or hash thereof, on a client machine. Ever. You should be using some other token whose generation algorithm does not even use the password as an input.

Second, even if you can rebut #1, what you store is utterly useless to LDAP-connected Confluence installs. You can only authenticate to a directory server with the original password. A 1 way hash of the password has no value with LDAP authentication, so you're creating risk with no benefit.

Third, your use of MD5+DES is questionable. DES does not provide acceptable security to the US federal government, and MD5 has significant vulnerabilities. Even the PKCS #5 1.5 standard upon which PBEWithMD5AndDES is based was superseded in 1999. See http://www.rsa.com/rsalabs/node.asp?id=2127.