PatchSiren cyber security CVE debrief
CVE-2016-6668 Atlassian CVE debrief
CVE-2016-6668 is a secret-disclosure issue in several Atlassian HipChat integration plugins. An attacker able to read certain pages in affected deployments could obtain the secret key used to communicate with HipChat instances. NVD rates the issue as High severity because it is network exploitable, requires no privileges or user interaction, and impacts confidentiality.
- Vendor
- Atlassian
- Product
- CVE-2016-6668
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-23
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-23
- Advisory updated
- 2026-05-13
Who should care
Administrators and security teams managing Atlassian Bitbucket Server, Confluence, or JIRA environments that use the HipChat integration plugins. This is especially important for any deployment still running an affected plugin version or where HipChat integration secrets may not have been rotated.
Technical summary
The CVE description states that the Atlassian Hipchat Integration Plugin for Bitbucket Server, the Confluence HipChat plugin, and the HipChat for JIRA plugin allowed remote attackers to obtain the secret key used for communicating with HipChat instances by reading unspecified pages. Affected versions named in the description are Bitbucket Server 6.26.0 before 6.27.5, 6.28.0 before 7.3.7, and 7.4.0 before 7.8.17; Confluence HipChat plugin 6.26.0 before 7.8.17; and HipChat for JIRA plugin 6.26.0 before 7.8.17. NVD maps the weakness to CWE-200 and assigns CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.
Defensive priority
High. The issue is remotely reachable, requires no authentication, and exposes a secret used for service communication, so affected systems should be patched and checked promptly.
Recommended defensive actions
- Upgrade the affected Atlassian plugins to the fixed versions identified in the CVE description.
- Inventory Bitbucket Server, Confluence, and JIRA instances to confirm whether any affected HipChat integration plugin is installed.
- Rotate or reissue any HipChat communication secret keys after remediation, especially if exposure cannot be ruled out.
- Review access controls for any pages or content that could reveal integration secrets and restrict access appropriately.
- Remove or disable the HipChat integration plugin on systems where it is not needed.
Evidence notes
The CVE was published on 2017-01-23 and later modified on 2026-05-13. The supplied NVD record classifies the issue as CVSS 3.1 High (7.5) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N and CWE-200. NVD references Atlassian vendor advisories and third-party advisories. No CISA KEV entry was supplied in the corpus.
Official resources
-
CVE-2016-6668 CVE record
CVE.org
-
CVE-2016-6668 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Broken Link, Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Broken Link, Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
Public CVE disclosure; no KEV listing was provided in the supplied enrichment.