[BSERV-9146] CVE-2016-6668 - The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance. - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 4.4.4, 4.5.3, 4.6.4, 4.7.2, 4.8.4, 4.9.0
Affects Version/s: 3.10.0, 4.5.1, 4.6.0, 4.7.1, 4.8.0
Component/s: Integration - HC
Labels:

Symptom Severity:
Severity 1 - Critical
Bug Fix Policy:
View Atlassian Server bug fix policy

The Atlassian Hipchat Integration Plugin for Bitbucket Server exposed the secret key it used to communicate with a linked HipChat service in various administration pages. For this vulnerability to affect your Bitbucket Server instance you must have a HipChat integration established. To exploit this issue, attackers must have Admin access to a Bitbucket Server. Using the secret key attackers could gain full control over a linked HipChat instance.

Affected versions:

All versions of Atlassian Hipchat Integration Plugin for Bitbucket Server from 6.26.0 before 6.27.5, from 6.28.0 before 7.3.7 and from 7.4.0 before 7.8.17 are affected by this vulnerability.
All versions of Bitbucket Server from 3.10.0 before 4.4.4 (the fixed version for 4.4.x), from 4.5.0 before 4.5.3 (the fixed version for 4.5.x), 4.6.0 before 4.6.4 (the fixed version for 4.6.x), 4.7.0 before 4.7.2 (the fixed version for 4.7.x) and from 4.8.0 before 4.8.4 are affected by this vulnerability.

Fix:

Bitbucket Server 4.9.1 is available for download from https://www.atlassian.com/software/bitbucket/download.
Bitbucket Server 4.8.4 is available for download from https://www.atlassian.com/software/bitbucket/download-archives.html.
Bitbucket Server 4.7.2 is available for download from https://www.atlassian.com/software/bitbucket/download-archives.html.
Bitbucket Server 4.6.4 is available for download from https://www.atlassian.com/software/bitbucket/download-archives.html.
Bitbucket Server 4.5.3 is available for download from https://www.atlassian.com/software/bitbucket/download-archives.html.
Bitbucket Server 4.4.4 is available for download from https://www.atlassian.com/software/bitbucket/download-archives.html.

If you are running Stash 3.11 then download the JARs from this issue and install them using the instructions for installing add-ons using UPM found at https://confluence.atlassian.com/display/UPM/Installing+add-ons#Installingadd-ons-Installingbyfileupload after which you must restart Stash. Version 6.27.5 (which contains a fix) of the Atlassian Hipchat Integration Plugin should be installed.

Risk Mitigation:

If you are unable to upgrade your Bitbucket Server, then as a temporary workaround, you can disable or uninstall the Atlassian Hipchat Integration Plugin.

For additional details see the full advisory.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

stash-hipchat-integration-plugin-6.27.5.jar
221 kB
12/Sep/2016 6:21 AM
base-hipchat-integration-plugin-6.27.5.jar
501 kB
12/Sep/2016 6:21 AM
base-hipchat-integration-plugin-api-6.27.5.jar
1.01 MB
12/Sep/2016 6:21 AM

relates to

CONFSERVER-43695 CVE-2016-6668 - The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance.

Closed

JRASERVER-62496 CVE-2016-6668 - The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance.

Closed

mentioned in: Bitbucket Server security advisory 2016-09-21; Page No Confluence page found with the given URL.; Page No Confluence page found with the given URL.; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(13 mentioned in)

David Black made changes - 13/Nov/2019 11:56 PM

Labels

Original: CVE-2016-6668 advisory cvss-critical security

New: CVE-2016-6668 advisory cvss-critical information-disclosure security

Owen made changes - 10/Apr/2019 6:47 AM

Workflow

Original: Stash Workflow - Restricted [ 1596970 ]

New: JAC Bug Workflow v3 [ 3137279 ]

Owen made changes - 24/Oct/2018 5:01 AM

Symptom Severity

Original: Critical [ 14430 ]

New: Severity 1 - Critical [ 15830 ]

vkharisma made changes - 01/Apr/2017 7:42 PM

Link

New: This issue relates to JRACLOUD-62496 [ JRACLOUD-62496 ]

vkharisma made changes - 01/Apr/2017 2:12 PM

Link

New: This issue relates to CONFCLOUD-43695 [ CONFCLOUD-43695 ]

Rachel Robins made changes - 27/Mar/2017 8:52 PM

Remote Link

Original: This issue links to "Page (Atlassian Documentation)" [ 273927 ]

New: This issue links to "Page (Atlassian Documentation)" [ 273927 ]

Rachel Robins made changes - 27/Mar/2017 8:48 PM

Remote Link

New: This issue links to "Page (Atlassian Documentation)" [ 273927 ]

Paz (Inactive) made changes - 16/Feb/2017 2:43 AM

Remote Link

Original: This issue links to "Page (Atlassian Documentation)" [ 261625 ]

New: This issue links to "Page (Atlassian Documentation)" [ 261625 ]

Paz (Inactive) made changes - 16/Feb/2017 2:36 AM

Remote Link

New: This issue links to "Page (Atlassian Documentation)" [ 261625 ]

Paz (Inactive) made changes - 19/Jan/2017 10:41 PM

Remote Link

Original: This issue links to "Page (Atlassian Documentation)" [ 252607 ]

New: This issue links to "Page (Atlassian Documentation)" [ 252607 ]

Assignee:: Unassigned

Reporter:: David Black

Affected customers:: 0 This affects my team

Watchers:: 2 Start watching this issue

Created:: 12/Sep/2016 6:15 AM

Updated:: 13/Nov/2019 11:56 PM

Resolved:: 12/Sep/2016 6:24 AM

Bitbucket Data Center

Details

Description

Attachments

Attachments

Issue Links

Forms

Activity

[BSERV-9146] CVE-2016-6668 - The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance.

People

Dates

Backbone Issue Sync