The Confluence HipChat pluginĀ exposed the secret key it used to communicate with a linked HipChat service in various pages. For this vulnerability to affect your Confluence instance you must have a HipChat integration established. To exploit this issue, attackers need to have access to a Confluence account that has either:
- Create space permission (this is a default permission for all users)
- Space admin permission for any space
- Confluence Administrator or System Administrator permission
Using the secret key attackers can gain full control over a linkedĀ HipChat instance.
\
Affected versions:
- All versions ofĀ Confluence HipChatĀ pluginĀ from 6.26.0 beforeĀ 7.8.17Ā are affected by this vulnerability.
- All versions ofĀ ConfluenceĀ from 5.9.1Ā beforeĀ 5.9.14Ā (the fixed version for 5.9.x) and from 5.10.0Ā before 5.10.4Ā (the fixed version for 5.10.x)Ā are affected by this vulnerability.
Fix:
Risk Mitigation:
- If you are unable to upgrade your Confluence server or the Confluence HipChat plugin, then as aĀ temporary workaround, you canĀ disable or uninstall theĀ Confluence HipChat plugin and the Atlassian HipChat Integration pluginĀ in Confluence.
For additional details see the [full advisory|https://confluence.atlassian.com/x/yIGbMg].