cbcvebase.
CVE-2015-5603
published 2015-09-21

CVE-2015-5603: The HipChat for JIRA plugin before 6.30.0 for Atlassian JIRA allows remote authenticated users to execute arbitrary Java code via unspecified vectors, related…

PriorityP259medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
59.31%
99.0th percentile
The HipChat for JIRA plugin before 6.30.0 for Atlassian JIRA allows remote authenticated users to execute arbitrary Java code via unspecified vectors, related to "Velocity Template Injection Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
atlassianhipchat<= 6.29.2

Detection & IOCsextracted from sources · hover to see the quote

url/rest/hipchat/integrations/1.0/message/render/
command$i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('...').waitFor()
command$i18n.getClass().forName('java.io.FileOutputStream').getConstructor($i18n.getClass().forName('java.lang.String')).newInstance('#{fname}').write(...)
command$i18n.getClass().forName('java.lang.System').getMethod('getProperty', $i18n.getClass().forName('java.lang.String')).invoke(null, '#{prop}').toString()
path/secure/Dashboard.jspa
  • Monitor HTTP POST requests to the JIRA REST endpoint /rest/hipchat/integrations/1.0/message/render/ containing Velocity template injection payloads in the 'message' JSON field, particularly strings referencing $i18n.getClass().forName('java.lang.Runtime').
  • Detect POST request bodies to the render endpoint containing the string '$i18n.getClass().forName' as an indicator of Velocity template injection attempt.
  • Look for the X-Requested-With: XMLHttpRequest header combined with a JSESSIONID and atlassian.xsrf.token cookie on POST requests to the HipChat message render endpoint, which is the pattern used by the exploit.
  • Alert on JSON responses from the render endpoint returning {"message":"0"}, which indicates successful command execution via the Velocity template injection check.
  • Detect child processes spawned by the Tomcat/JIRA JVM process (e.g., java.exe or cmd.exe) as a result of Runtime.exec() calls triggered by the injection.
  • ·Authentication is required to exploit this vulnerability; the attacking account must not be protected by CAPTCHA. Unauthenticated exploitation is not possible.
  • ·Affected HipChat for JIRA plugin versions are 1.3.2 through 6.29.x (fixed in 6.30.0). JIRA versions 6.3.5 through 6.4.10 are also affected by default due to bundled vulnerable HipChat plugin.
  • ·Passive detection (without credentials) can only identify vulnerable JIRA versions by version number metadata; it cannot confirm HipChat plugin presence or exploitability with certainty.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.