{"api_version":"1","generated_at":"2026-04-23T00:38:50+00:00","cve":"CVE-2017-14585","urls":{"html":"https://cve.report/CVE-2017-14585","api":"https://cve.report/api/cve/CVE-2017-14585.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2017-14585","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2017-14585"},"summary":{"title":"CVE-2017-14585","description":"A Server Side Request Forgery (SSRF) vulnerability could lead to remote code execution for authenticated administrators. This issue was introduced in version 2.2.0 of Hipchat Server and version 3.0.0 of Hipchat Data Center. Versions of Hipchat Server starting with 2.2.0 and before 2.2.6 are affected by this vulnerability. Versions of Hipchat Data Center starting with 3.0.0 and before 3.1.0 are affected.","state":"PUBLIC","assigner":"security@atlassian.com","published_at":"2017-11-27 16:29:00","updated_at":"2017-12-20 23:37:00"},"problem_types":["CWE-918"],"metrics":[],"references":[{"url":"https://jira.atlassian.com/browse/HCPUB-3526","name":"https://jira.atlassian.com/browse/HCPUB-3526","refsource":"CONFIRM","tags":["Issue Tracking","Vendor Advisory"],"title":"[HCPUB-3526] Remote code execution in HipChat Server and Data Center via SSRF in 'admin' interface - CVE-2017-14585 - Create and track feature requests for Atlassian products.","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://confluence.atlassian.com/hc/hipchat-server-security-advisory-2017-11-22-939946293.html","name":"https://confluence.atlassian.com/hc/hipchat-server-security-advisory-2017-11-22-939946293.html","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Hipchat Server Security Advisory 2017-11-22 - Atlassian Documentation","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/101945","name":"101945","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Atlassian Hipchat Server and Data Center CVE-2017-14585 Remote Code Execution Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2017-14585","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-14585","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2017","cve_id":"14585","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"atlassian","cpe5":"hipchat_data_center","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"14585","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"atlassian","cpe5":"hipchat_data_center","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"14585","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"atlassian","cpe5":"hipchat_server","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"14585","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"atlassian","cpe5":"hipchat_server","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@atlassian.com","DATE_PUBLIC":"2017-11-22T00:00:00","ID":"CVE-2017-14585","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Hipchat Server","version":{"version_data":[{"version_value":"2.2.0 <= version < 4.3"}]}},{"product_name":"Hipchat Data Center","version":{"version_data":[{"version_value":"3.0.0 <= version < 3.1.0"}]}}]},"vendor_name":"Atlassian"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"A Server Side Request Forgery (SSRF) vulnerability could lead to remote code execution for authenticated administrators. This issue was introduced in version 2.2.0 of Hipchat Server and version 3.0.0 of Hipchat Data Center. Versions of Hipchat Server starting with 2.2.0 and before 2.2.6 are affected by this vulnerability. Versions of Hipchat Data Center starting with 3.0.0 and before 3.1.0 are affected."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Remote Code Execution"}]}]},"references":{"reference_data":[{"name":"https://jira.atlassian.com/browse/HCPUB-3526","refsource":"CONFIRM","url":"https://jira.atlassian.com/browse/HCPUB-3526"},{"name":"101945","refsource":"BID","url":"http://www.securityfocus.com/bid/101945"},{"name":"https://confluence.atlassian.com/hc/hipchat-server-security-advisory-2017-11-22-939946293.html","refsource":"CONFIRM","url":"https://confluence.atlassian.com/hc/hipchat-server-security-advisory-2017-11-22-939946293.html"}]}},"nvd":{"publishedDate":"2017-11-27 16:29:00","lastModifiedDate":"2017-12-20 23:37:00","problem_types":["CWE-918"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7.2,"baseSeverity":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:C/I:C/A:C","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE","baseScore":9},"severity":"HIGH","exploitabilityScore":8,"impactScore":10,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:atlassian:hipchat_server:*:*:*:*:*:*:*:*","versionStartIncluding":"2.2.0","versionEndExcluding":"2.2.6","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:atlassian:hipchat_data_center:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"3.1.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2017","CveId":"14585","Ordinal":"112053","Title":"CVE-2017-14585","CVE":"CVE-2017-14585","Year":"2017"},"notes":[{"CveYear":"2017","CveId":"14585","Ordinal":"1","NoteData":"A Server Side Request Forgery (SSRF) vulnerability could lead to remote code execution for authenticated administrators. This issue was introduced in version 2.2.0 of Hipchat Server and version 3.0.0 of Hipchat Data Center. Versions of Hipchat Server starting with 2.2.0 and before 2.2.6 are affected by this vulnerability. Versions of Hipchat Data Center starting with 3.0.0 and before 3.1.0 are affected.","Type":"Description","Title":null},{"CveYear":"2017","CveId":"14585","Ordinal":"2","NoteData":"2017-11-27","Type":"Other","Title":"Published"},{"CveYear":"2017","CveId":"14585","Ordinal":"3","NoteData":"2017-11-28","Type":"Other","Title":"Modified"}]}}}