Velocity Template Injection Vulnerability in HipChat for JIRA by Atlassian
CVE-2015-5603

Currently unrated

Key Information:

Vendor: Atlassian
Status: Hipchat
Vendor: CVE Published:; 21 September 2015

What is CVE-2015-5603?

The HipChat for JIRA plugin before version 6.30.0 for Atlassian JIRA is susceptible to template injection, which may allow remote authenticated users to execute arbitrary Java code. This vulnerability arises due to insufficient input validation in the plugin's use of the Velocity template engine, enabling attackers to craft requests that can manipulate the execution of the server-side code.

References

https://confluence.atlassian.com/jira/jira-and-hipchat-fo...

x_refsource_CONFIRM

https://www.exploit-db.com/exploits/38905/

exploitx_refsource_EXPLOIT-DB

http://packetstormsecurity.com/files/133401/Jira-HipChat-...

x_refsource_MISC

EPSS Score

83% chance of being exploited in the next 30 days.

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 21, 2015
Vulnerability Reserved
Jul 20, 2015