Uploaded image for project: 'Confluence Server'
  1. Confluence Server
  2. CONFSERVER-43695

CVE-2016-6668 - The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance.




      The Confluence HipChat plugin exposed the secret key it used to communicate with a linked HipChat service in various pages. For this vulnerability to affect your Confluence instance you must have a HipChat integration established. To exploit this issue, attackers need to have access to a Confluence account that has either:

      • Create space permission (this is a default permission for all users)
      • Space admin permission for any space
      • Confluence Administrator or System Administrator permission

      Using the secret key attackers can gain full control over a linked HipChat instance.

      Affected versions:

      • All versions of Confluence HipChat plugin from 6.26.0 before 7.8.17 are affected by this vulnerability. 
      • All versions of Confluence from 5.9.1 before 5.9.14 (the fixed version for 5.9.x) and from 5.10.0 before 5.10.4 (the fixed version for 5.10.x) are affected by this vulnerability.




      Risk Mitigation:

      • If you are unable to upgrade your Confluence server or the Confluence HipChat plugin, then as a temporary workaround, you can disable or uninstall the Confluence HipChat plugin and the Atlassian HipChat Integration plugin in Confluence.


       For additional details see the full advisory.


          Issue Links



              • Votes:
                0 Vote for this issue
                2 Start watching this issue


                • Created:
                  Last commented:
                  2 years, 32 weeks, 2 days ago