CVE-2015-5603
published 2015-09-21CVE-2015-5603: The HipChat for JIRA plugin before 6.30.0 for Atlassian JIRA allows remote authenticated users to execute arbitrary Java code via unspecified vectors, related…
PriorityP259medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
59.31%
99.0th percentile
The HipChat for JIRA plugin before 6.30.0 for Atlassian JIRA allows remote authenticated users to execute arbitrary Java code via unspecified vectors, related to "Velocity Template Injection Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| atlassian | hipchat | <= 6.29.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
command$i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('...').waitFor()↗
command$i18n.getClass().forName('java.io.FileOutputStream').getConstructor($i18n.getClass().forName('java.lang.String')).newInstance('#{fname}').write(...)↗
command$i18n.getClass().forName('java.lang.System').getMethod('getProperty', $i18n.getClass().forName('java.lang.String')).invoke(null, '#{prop}').toString()↗
- →Monitor HTTP POST requests to the JIRA REST endpoint /rest/hipchat/integrations/1.0/message/render/ containing Velocity template injection payloads in the 'message' JSON field, particularly strings referencing $i18n.getClass().forName('java.lang.Runtime'). ↗
- →Detect POST request bodies to the render endpoint containing the string '$i18n.getClass().forName' as an indicator of Velocity template injection attempt. ↗
- →Look for the X-Requested-With: XMLHttpRequest header combined with a JSESSIONID and atlassian.xsrf.token cookie on POST requests to the HipChat message render endpoint, which is the pattern used by the exploit. ↗
- →Alert on JSON responses from the render endpoint returning {"message":"0"}, which indicates successful command execution via the Velocity template injection check. ↗
- →Detect child processes spawned by the Tomcat/JIRA JVM process (e.g., java.exe or cmd.exe) as a result of Runtime.exec() calls triggered by the injection. ↗
- ·Authentication is required to exploit this vulnerability; the attacking account must not be protected by CAPTCHA. Unauthenticated exploitation is not possible. ↗
- ·Affected HipChat for JIRA plugin versions are 1.3.2 through 6.29.x (fixed in 6.30.0). JIRA versions 6.3.5 through 6.4.10 are also affected by default due to bundled vulnerable HipChat plugin. ↗
- ·Passive detection (without credentials) can only identify vulnerable JIRA versions by version number metadata; it cannot confirm HipChat plugin presence or exploitability with certainty. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Atlassian HipChat for Jira Plugin - Velocity Template Injection (Metasploit)
exploitdb·2015-12-08
CVE-2015-5603 Atlassian HipChat for Jira Plugin - Velocity Template Injection (Metasploit)
Atlassian HipChat for Jira Plugin - Velocity Template Injection (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'json'
class Metasploit3 "Atlassian HipChat for Jira Plugin Velocity Template Injection",
'Description' => %q{
Atlassian Hipchat is a web service for internal instant messaging. A plugin is available
for Jira that allows team collibration at real time. A message can be used to inject Java
code into a Velocity template, and gain code exeuction as Jira. Authentication is required
to exploit this vulnerability, and you must make sure the account you're using isn't
protected by captcha. By default, Java payload will be used because it is cross-platf
Exploit-DB
JIRA and HipChat for JIRA Plugin - Velocity Template Injection
exploitdb·2015-10-28·CVSS 6.5
CVE-2015-5603 [MEDIUM] JIRA and HipChat for JIRA Plugin - Velocity Template Injection
JIRA and HipChat for JIRA Plugin - Velocity Template Injection
---
############################################################################
# JIRA and HipChat for JIRA plugin Velocity Template Injection Vulnerability
# Date: 2015-08-26
# CVE ID: CVE-2015-5603
# Vendor Link: https://confluence.atlassian.com/jira/jira-and-hipchat-for-jira-plugin-security-advisory-2015-08-26-776650785.html
#
# Product: JIRA and the HipChat for JIRA plugin.
# Affected HipChat For JIRA plugin versions: 1.3.2
#
# Tested against JIRA 6.3.4a with HipChat 6.29.2 on Windows 7 x64
# Allows any authenticated JIRA user to execute code running as Tomcat identity
############################################################################
import urllib2
import json
# cookie of any authenticated session (ex. jira-
Metasploit
Atlassian HipChat for Jira Plugin Velocity Template Injection
metasploit
Atlassian HipChat for Jira Plugin Velocity Template Injection
Atlassian HipChat for Jira Plugin Velocity Template Injection
Atlassian Hipchat is a web service for internal instant messaging. A plugin is available for Jira that allows team collaboration at real time. A message can be used to inject Java code into a Velocity template, and gain code execution as Jira. Authentication is required to exploit this vulnerability, and you must make sure the account you're using isn't protected by captcha. By default, Java payload will be used because it is cross-platform, but you can also specify which native payload you want (Linux or Windows). HipChat for Jira plugin versions between 1.3.2 and 6.30.0 are affected. Jira versions between 6.3.5 and 6.4.10 are also affected by default, because they were bundled with a vulnerable copy of HipChat. When using the
No writeups or analysis indexed.
http://packetstormsecurity.com/files/133401/Jira-HipChat-For-Jira-Java-Code-Execution.htmlhttp://www.rapid7.com/db/modules/exploit/multi/http/jira_hipchat_templatehttp://www.securityfocus.com/archive/1/536374/100/0/threadedhttps://confluence.atlassian.com/jira/jira-and-hipchat-for-jira-plugin-security-advisory-2015-08-26-776650785.htmlhttps://www.exploit-db.com/exploits/38551/https://www.exploit-db.com/exploits/38905/http://packetstormsecurity.com/files/133401/Jira-HipChat-For-Jira-Java-Code-Execution.htmlhttp://www.rapid7.com/db/modules/exploit/multi/http/jira_hipchat_templatehttp://www.securityfocus.com/archive/1/536374/100/0/threadedhttps://confluence.atlassian.com/jira/jira-and-hipchat-for-jira-plugin-security-advisory-2015-08-26-776650785.htmlhttps://www.exploit-db.com/exploits/38551/https://www.exploit-db.com/exploits/38905/
2015-09-21
Published