-
Bug
-
Resolution: Fixed
-
Highest
-
5.9.1, 5.10.0
-
Severity 1 - Critical
-
The Confluence HipChat plugin exposed the secret key it used to communicate with a linked HipChat service in various pages. For this vulnerability to affect your Confluence instance you must have a HipChat integration established. To exploit this issue, attackers need to have access to a Confluence account that has either:
- Create space permission (this is a default permission for all users)
- Space admin permission for any space
- Confluence Administrator or System Administrator permission
Using the secret key attackers can gain full control over a linked HipChat instance.
Affected versions:
- All versions of Confluence HipChat plugin from 6.26.0 before 7.8.17 are affected by this vulnerability.
- All versions of Confluence from 5.9.1 before 5.9.14 (the fixed version for 5.9.x) and from 5.10.0 before 5.10.4 (the fixed version for 5.10.x) are affected by this vulnerability.
Fix:
- The Confluence HipChat plugin can be updated through Confluence's add-on manager. For instructions on how to update the Confluence HipChat plugin see https://confluence.atlassian.com/display/UPM/Updating+add-ons.
- Confluence Server 5.10.4 is available for download from https://www.atlassian.com/software/confluence/download.
- Confluence Server 5.9.14 is available for download from https://www.atlassian.com/software/confluence/download-archives.
Risk Mitigation:
- If you are unable to upgrade your Confluence server or the Confluence HipChat plugin, then as a temporary workaround, you can disable or uninstall the Confluence HipChat plugin and the Atlassian HipChat Integration plugin in Confluence.
For additional details see the full advisory.
- is related to
-
-
- Closed
-
-
-
- Closed
-
![[Atlassian Documentation] Page](https://confluence.atlassian.com/images/icons/favicon.png "[Atlassian Documentation] Page"){kind=icon}
![[Extranet] Page](/images/icons/generic_link_16.png "[Extranet] Page"){kind=icon}
[CONFSERVER-43695] CVE-2016-6668 - The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance.
| Workflow | Original: JAC Bug Workflow v3 [ 2896478 ] | New: CONFSERVER Bug Workflow v4 [ 2989284 ] |
| Workflow | Original: JAC Bug Workflow v2 [ 2787771 ] | New: JAC Bug Workflow v3 [ 2896478 ] |
| Status | Original: Resolved [ 5 ] | New: Closed [ 6 ] |
| Workflow | Original: JAC Bug Workflow [ 2721947 ] | New: JAC Bug Workflow v2 [ 2787771 ] |
| Symptom Severity | Original: Critical [ 14430 ] | New: Severity 1 - Critical [ 15830 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2392135 ] | New: JAC Bug Workflow [ 2721947 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5 [ 2272935 ] | New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2392135 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2223360 ] | New: Confluence Workflow - Public Facing - Restricted v5 [ 2272935 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2176053 ] | New: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2223360 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5 [ 1938285 ] | New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2176053 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v3 [ 1737261 ] | New: Confluence Workflow - Public Facing - Restricted v5 [ 1938285 ] |