-
Bug
-
Resolution: Fixed
-
Highest (View bug fix roadmap)
-
6.4.8, 7.1.0
-
6.04
-
Severity 1 - Critical
-
The HipChat for JIRA plugin exposed the secret key it used to communicate with a linked HipChat service in various pages. For this vulnerability to affect your JIRA instance you must have a HipChat integration established. To exploit this issue in JIRA versions 7.0.0 and higher, attackers need to have access to a JIRA account. In JIRA versions before 7.0.0, such as 6.4.x, attackers only need access to the JIRA web interface. Using the secret key attackers can gain full control over a linked HipChat instance.
Affected versions:
- All versions of HipChat for JIRA plugin from 6.26.0 before 7.8.17 are affected by this vulnerability.
- All versions of JIRA from 6.4.8 before 7.0.11(the fixed version for 7.0.x) and from 7.1.0 before 7.1.10 (the fixed version for 7.1.x) are affected by this vulnerability are affected by this vulnerability.
Fix:
- The HipChat for JIRA plugin can be updated through JIRA's add-on manager. For instructions on how to update the HipChat For JIRA plugin see https://confluence.atlassian.com/display/UPM/Updating+add-ons.
- JIRA Server 7.2.1 is available for download from https://www.atlassian.com/software/jira/download.
- JIRA Server 7.1.10 is available for download from https://www.atlassian.com/software/jira/update.
- JIRA Server 7.0.11 is available for download from https://www.atlassian.com/software/jira/update.
Risk Mitigation:
- If you are unable to upgrade your JIRA server or the HipChat for JIRA plugin, then as a temporary workaround, you can disable or uninstall the HipChat for JIRA plugin in JIRA.
For additional details see the full advisory.
- is related to
-
-
- Closed
-
- relates to
-
-
- Closed
-
![[Atlassian Documentation] Page](https://confluence.atlassian.com/images/icons/favicon.png "[Atlassian Documentation] Page"){kind=icon}
![[Extranet] Page](/images/icons/generic_link_16.png "[Extranet] Page"){kind=icon}
[JRASERVER-62496] CVE-2016-6668 - The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance.
| Labels | Original: CVE-2016-6668 advisory affects-server cvss-critical security | New: CVE-2016-6668 advisory affects-server cvss-critical information-disclosure security |
| Minimum Version | New: 6.04 |
| Workflow | Original: JAC Bug Workflow v2 [ 2830385 ] | New: JAC Bug Workflow v3 [ 2929666 ] |
| Status | Original: Resolved [ 5 ] | New: Closed [ 6 ] |
| Symptom Severity | Original: Critical [ 14430 ] | New: Severity 1 - Critical [ 15830 ] |
| Workflow | Original: JIRA Bug Workflow w Kanban v7 - Restricted [ 2579227 ] | New: JAC Bug Workflow v2 [ 2830385 ] |
| Status | Original: Closed [ 6 ] | New: Resolved [ 5 ] |
| Fix Version/s | New: 7.1.10 [ 64204 ] | |
| Fix Version/s | Original: 7.1.10 Server [ 63302 ] |
| Workflow | Original: JIRA Bug Workflow w Kanban v6 - Restricted [ 1596972 ] | New: JIRA Bug Workflow w Kanban v7 - Restricted [ 2579227 ] |
| Labels | Original: CVE-2016-6668 advisory cvss-critical security | New: CVE-2016-6668 advisory affects-server cvss-critical security |
| Comment | [ A comment with security level 'atlassian-staff' was removed. ] |
| Security | Original: Reporter and Atlassian Staff [ 10751 ] |