Uploaded image for project: 'Confluence Server'
  1. Confluence Server
  2. CONFSERVER-43695

CVE-2016-6668 - The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance.

    XMLWordPrintable

    Details

      Description

      The Confluence HipChat plugin exposed the secret key it used to communicate with a linked HipChat service in various pages. For this vulnerability to affect your Confluence instance you must have a HipChat integration established. To exploit this issue, attackers need to have access to a Confluence account that has either:

      • Create space permission (this is a default permission for all users)
      • Space admin permission for any space
      • Confluence Administrator or System Administrator permission

      Using the secret key attackers can gain full control over a linked HipChat instance.


      Affected versions:

      • All versions of Confluence HipChat plugin from 6.26.0 before 7.8.17 are affected by this vulnerability. 
      • All versions of Confluence from 5.9.1 before 5.9.14 (the fixed version for 5.9.x) and from 5.10.0 before 5.10.4 (the fixed version for 5.10.x) are affected by this vulnerability.

       

      Fix:

       

      Risk Mitigation:

      • If you are unable to upgrade your Confluence server or the Confluence HipChat plugin, then as a temporary workaround, you can disable or uninstall the Confluence HipChat plugin and the Atlassian HipChat Integration plugin in Confluence.

       

       For additional details see the full advisory.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              dblack David Black
              Participants:
              Last Touched By:
              Katherine Yabut
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Last commented:
                2 years, 45 weeks, 1 day ago