The HipChat for JIRA plugin exposed the secret key it used to communicate with a linked HipChat service in various pages. For this vulnerability to affect your JIRA instance you must have a HipChat integration established. To exploit this issue in JIRA versions 7.0.0 and higher, attackers need to have access to a JIRA account. In JIRA versions before 7.0.0, such as 6.4.x, attackers only need access to the JIRA web interface. Using the secret key attackers can gain full control over a linked HipChat instance.
\
Affected versions:
\
Fix:
\
Risk Mitigation:
\
For additional details see the [full advisory|https://confluence.atlassian.com/x/w4GbMg].