Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 4.4.4, 4.5.3, 4.6.4, 4.7.2, 4.8.4, 4.9.0
Affects Version/s: 3.10.0, 4.5.1, 4.6.0, 4.7.1, 4.8.0
Component/s: Integration - HC
Labels:

Symptom Severity:
Severity 1 - Critical
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

The Atlassian Hipchat Integration Plugin for Bitbucket Server exposed the secret key it used to communicate with a linked HipChat service in various administration pages. For this vulnerability to affect your Bitbucket Server instance you must have a HipChat integration established. To exploit this issue, attackers must have Admin access to a Bitbucket Server. Using the secret key attackers could gain full control over a linked HipChat instance.

Affected versions:

All versions of Atlassian Hipchat Integration Plugin for Bitbucket Server from 6.26.0 before 6.27.5, from 6.28.0 before 7.3.7 and from 7.4.0 before 7.8.17 are affected by this vulnerability.
All versions of Bitbucket Server from 3.10.0 before 4.4.4 (the fixed version for 4.4.x), from 4.5.0 before 4.5.3 (the fixed version for 4.5.x), 4.6.0 before 4.6.4 (the fixed version for 4.6.x), 4.7.0 before 4.7.2 (the fixed version for 4.7.x) and from 4.8.0 before 4.8.4 are affected by this vulnerability.

Fix:

Bitbucket Server 4.9.1 is available for download from https://www.atlassian.com/software/bitbucket/download.
Bitbucket Server 4.8.4 is available for download from https://www.atlassian.com/software/bitbucket/download-archives.html.
Bitbucket Server 4.7.2 is available for download from https://www.atlassian.com/software/bitbucket/download-archives.html.
Bitbucket Server 4.6.4 is available for download from https://www.atlassian.com/software/bitbucket/download-archives.html.
Bitbucket Server 4.5.3 is available for download from https://www.atlassian.com/software/bitbucket/download-archives.html.
Bitbucket Server 4.4.4 is available for download from https://www.atlassian.com/software/bitbucket/download-archives.html.

If you are running Stash 3.11 then download the JARs from this issue and install them using the instructions for installing add-ons using UPM found at https://confluence.atlassian.com/display/UPM/Installing+add-ons#Installingadd-ons-Installingbyfileupload after which you must restart Stash. Version 6.27.5 (which contains a fix) of the Atlassian Hipchat Integration Plugin should be installed.

Risk Mitigation:

If you are unable to upgrade your Bitbucket Server, then as a temporary workaround, you can disable or uninstall the Atlassian Hipchat Integration Plugin.

For additional details see the full advisory.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List

base-hipchat-integration-plugin-6.27.5.jar
501 kB
12/Sep/2016 6:21 AM
base-hipchat-integration-plugin-api-6.27.5.jar
1.01 MB
12/Sep/2016 6:21 AM
stash-hipchat-integration-plugin-6.27.5.jar
221 kB
12/Sep/2016 6:21 AM

Issue Links

relates to

CONFSERVER-43695 CVE-2016-6668 - The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance.

Closed

JRASERVER-62496 CVE-2016-6668 - The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance.

Closed

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(13 mentioned in)

Activity

People

Assignee:: Unassigned

Reporter:: David Black

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 12/Sep/2016 6:15 AM

Updated:: 13/Nov/2019 11:56 PM

Resolved:: 12/Sep/2016 6:24 AM