The Confluence HipChat plugin exposed the secret key it used to communicate with a linked HipChat service in various pages. For this vulnerability to affect your Confluence instance you must have a HipChat integration established. To exploit this issue, attackers need to have access to a Confluence account that has either:
- Create space permission (this is a default permission for all users)
- Space admin permission for any space
- Confluence Administrator or System Administrator permission
Using the secret key attackers can gain full control over a linked HipChat instance.
- All versions of Confluence HipChat plugin from 6.26.0 before 7.8.17 are affected by this vulnerability.
- All versions of Confluence from 5.9.1 before 5.9.14 (the fixed version for 5.9.x) and from 5.10.0 before 5.10.4 (the fixed version for 5.10.x) are affected by this vulnerability.
- The Confluence HipChat plugin can be updated through Confluence's add-on manager. For instructions on how to update the Confluence HipChat plugin see https://confluence.atlassian.com/display/UPM/Updating+add-ons.
- Confluence Server 5.10.4 is available for download from https://www.atlassian.com/software/confluence/download.
- Confluence Server 5.9.14 is available for download from https://www.atlassian.com/software/confluence/download-archives.
- If you are unable to upgrade your Confluence server or the Confluence HipChat plugin, then as a temporary workaround, you can disable or uninstall the Confluence HipChat plugin and the Atlassian HipChat Integration plugin in Confluence.
For additional details see the full advisory.