Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-43695

CVE-2016-6668 - The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance.

XMLWordPrintable

      The Confluence HipChat plugin exposed the secret key it used to communicate with a linked HipChat service in various pages. For this vulnerability to affect your Confluence instance you must have a HipChat integration established. To exploit this issue, attackers need to have access to a Confluence account that has either:

      • Create space permission (this is a default permission for all users)
      • Space admin permission for any space
      • Confluence Administrator or System Administrator permission

      Using the secret key attackers can gain full control over a linked HipChat instance.


      Affected versions:

      • All versions of Confluence HipChat plugin from 6.26.0 before 7.8.17 are affected by this vulnerability. 
      • All versions of Confluence from 5.9.1 before 5.9.14 (the fixed version for 5.9.x) and from 5.10.0 before 5.10.4 (the fixed version for 5.10.x) are affected by this vulnerability.

       

      Fix:

       

      Risk Mitigation:

      • If you are unable to upgrade your Confluence server or the Confluence HipChat plugin, then as a temporary workaround, you can disable or uninstall the Confluence HipChat plugin and the Atlassian HipChat Integration plugin in Confluence.

       

       For additional details see the full advisory.

              Unassigned Unassigned
              dblack David Black
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: