[HCPUB-2801] Apache Struts 2 Remote Code Execution (CVE-2017-5638) Created: 09/Mar/2017  Updated: 30/Aug/2017  Resolved: 10/Mar/2017

Status: Closed
Project: HipChat
Component/s: Other
Affects Version/s: None
Fix Version/s: HCS 2.2.2

Type: Bug Priority: Highest
Reporter: Alek Amrani Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: CVE-2017-5638, advisory, advisory-released, injection, rce, security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Last commented: 1 year, 28 weeks ago
Last commented by user?: true
Symptom Severity: Critical
Platform: HipChat Server



HipChat Server has a version of the Apache Struts2 that is vulnerable to remote network attackers who can potentially execute code on vulnerable versions of HipChat Server to:

  • Execute remote code of their choice
  • Make http requests to local and internal services

To exploit this issue, attackers need to have network access to a HipChat Server instance.

Affected versions
All versions of HipChat Server before version 2.2.2 are affected by this vulnerability.

We have taken the following steps to address these issues:

  • Released a patch for customers.
  • Released HipChat Server version 2.2.2 that contains a fix for the issue.

For additional details see the full advisory.

Comment by John Pfeiffer [ 10/Mar/2017 ]

Fixed in the latest release:


Details of the security advisory:



Generated at Sat Sep 22 15:56:14 UTC 2018 using Jira 7.12.0-m0004#712001-sha1:06771438b07e15387c90fa781692d0e5cc365e4d.