HipChat for JIRA plugin - Velocity template injection
Description
The HipChat for JIRA plugin contains a Velocity template injection vulnerability that allows attackers to inject malicious code into Velocity templates. This occurs because the plugin improperly combines user-supplied input directly into Velocity template source code before rendering it, without adequate sanitization or validation. Authenticated users with access to the JIRA web interface can exploit this vulnerability to achieve remote code execution on the server.
Affected versions:
- HipChat for JIRA plugin versions 1.3.2 through 6.29.x (fixed in 6.30.0)
- JIRA Server versions 6.3.5 through 6.4.10 (fixed in 6.4.11)
Remediation
Apply one of the following remediation steps immediately:
Option 1 (Recommended): Upgrade JIRA Server to version 6.4.11 or later, which is not vulnerable to this issue and does not require the HipChat for JIRA plugin to be updated separately.
Option 2: If upgrading JIRA is not immediately feasible, update the HipChat for JIRA plugin to version 6.30.0 or later through the following steps:
- Log into JIRA as an administrator
- Navigate to Administration → Manage apps (or Add-ons)
- Locate the HipChat for JIRA plugin in the installed apps list
- Click "Update" to install version 6.30.0 or later
- Restart JIRA if prompted
Option 3: If HipChat integration is not required, disable or uninstall the HipChat for JIRA plugin entirely through the Manage apps interface.
After remediation, review JIRA access logs for any suspicious activity or unauthorized template rendering requests that may indicate prior exploitation.