CVE-2016-6668 - The HipChat plugin for various products leaks the secret key it uses to communicate with a linked HipChat instance.

The Confluence HipChat plugin exposed the secret key it used to communicate with a linked HipChat service in various pages. For this vulnerability to affect your Confluence instance you must have a HipChat integration established. To exploit this issue, attackers need to have access to a Confluence account that has either:

• Create space permission (this is a default permission for all users)
• Space admin permission for any space
• Confluence Administrator or System Administrator permission

Using the secret key attackers can gain full control over a linked HipChat instance.

\
Affected versions:

• All versions of Confluence HipChat plugin from 6.26.0 before 7.8.17 are affected by this vulnerability.
• All versions of Confluence from 5.9.1 before 5.9.14 (the fixed version for 5.9.x) and from 5.10.0 before 5.10.4 (the fixed version for 5.10.x) are affected by this vulnerability.

Fix:

• The Confluence HipChat plugin can be updated through Confluence’s add-on manager. For instructions on how to update the Confluence HipChat plugin see [https://confluence.atlassian.com/display/UPM/Updating+add-ons].
• Confluence Server 5.10.4 is available for download from [https://www.atlassian.com/software/confluence/download].
• Confluence Server 5.9.14 is available for download from [https://www.atlassian.com/software/confluence/download-archives].

Risk Mitigation:

• If you are unable to upgrade your Confluence server or the Confluence HipChat plugin, then as a temporary workaround, you can disable or uninstall the Confluence HipChat plugin and the Atlassian HipChat Integration plugin in Confluence.

For additional details see the [full advisory|https://confluence.atlassian.com/x/yIGbMg].