Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-43695

CVE-2016-6668 - The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance.

      The Confluence HipChat plugin exposed the secret key it used to communicate with a linked HipChat service in various pages. For this vulnerability to affect your Confluence instance you must have a HipChat integration established. To exploit this issue, attackers need to have access to a Confluence account that has either:

      • Create space permission (this is a default permission for all users)
      • Space admin permission for any space
      • Confluence Administrator or System Administrator permission

      Using the secret key attackers can gain full control over a linked HipChat instance.


      Affected versions:

      • All versions of Confluence HipChat plugin from 6.26.0 before 7.8.17 are affected by this vulnerability. 
      • All versions of Confluence from 5.9.1 before 5.9.14 (the fixed version for 5.9.x) and from 5.10.0 before 5.10.4 (the fixed version for 5.10.x) are affected by this vulnerability.

       

      Fix:

       

      Risk Mitigation:

      • If you are unable to upgrade your Confluence server or the Confluence HipChat plugin, then as a temporary workaround, you can disable or uninstall the Confluence HipChat plugin and the Atlassian HipChat Integration plugin in Confluence.

       

       For additional details see the full advisory.

          Form Name

            [CONFSERVER-43695] CVE-2016-6668 - The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance.

            Yes, as per the full advisory we suggest rotating keys.

            David Black added a comment - Yes, as per the full advisory we suggest rotating keys.

            Do cloud users need to rotate their keys as well?

            Deleted Account (Inactive) added a comment - Do cloud users need to rotate their keys as well?

            David Black added a comment - - edited

            This is the sanitised copy of CONF-43400, CONF-43502 and HC-32766.

            David Black added a comment - - edited This is the sanitised copy of CONF-43400, CONF-43502 and HC-32766.

              Unassigned Unassigned
              dblack David Black
              Affected customers:
              0 This affects my team
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: