The Atlassian Hipchat Integration Plugin for Bitbucket Server exposed the secret key it used to communicate with a linked HipChat service in various administration pages. For this vulnerability to affect your Bitbucket Server instance you must have a HipChat integration established. To exploit this issue, attackers must have Admin access to a Bitbucket Server. Using the secret key attackers could gain full control over a linked HipChat instance.

 Affected versions:

• All versions of Atlassian Hipchat Integration Plugin for Bitbucket Server from 6.26.0 before 6.27.5, from 6.28.0 before 7.3.7 and from 7.4.0 before 7.8.17 are affected by this vulnerability.
• All versions of Bitbucket Server from 3.10.0 before 4.4.4 (the fixed version for 4.4.x), from 4.5.0 before 4.5.3 (the fixed version for 4.5.x), 4.6.0 before 4.6.4 (the fixed version for 4.6.x), 4.7.0 before 4.7.2 (the fixed version for 4.7.x) and from 4.8.0 before 4.8.4 are affected by this vulnerability.

Fix:

• Bitbucket Server 4.9.1 is available for download from https://www.atlassian.com/software/bitbucket/download.
• Bitbucket Server 4.8.4 is available for download from https://www.atlassian.com/software/bitbucket/download-archives.html.
  Bitbucket Server 4.7.2 is available for download from https://www.atlassian.com/software/bitbucket/download-archives.html.
• Bitbucket Server 4.6.4 is available for download from https://www.atlassian.com/software/bitbucket/download-archives.html.
• Bitbucket Server 4.5.3 is available for download from https://www.atlassian.com/software/bitbucket/download-archives.html.
• Bitbucket Server 4.4.4 is available for download from https://www.atlassian.com/software/bitbucket/download-archives.html.

If you are running Stash 3.11 then download the JARs from this issue and install them using the instructions for installing add-ons using UPM found at https://confluence.atlassian.com/display/UPM/Installing+add-ons#Installingadd-ons-Installingbyfileupload after which you must restart Stash. Version 6.27.5 (which contains a fix) of the Atlassian Hipchat Integration Plugin should be installed.  

Risk Mitigation:

• If you are unable to upgrade your Bitbucket Server, then as a temporary workaround, you can disable or uninstall the Atlassian Hipchat Integration Plugin.

For additional details see the full advisory.