Hi there, Rob.
We've been reviewing the CVE in depth and can report back that HipChat and Embedded Crowd are not affected. The vulnerability relies on certain namespace mappings being set to 'true' whereas we've explicitly set our namespaces in the code as required, and this value by default is set to 'false' when not defined.
At present, most security scanners may just pick this CVE up due to the struts library version, however, this should be marked as a false positive for now. We will be issuing updates to Crowd and HipChat with version bumps to correct this as soon as we can.
You can watch our HipChat Server Release Notes page for new updates when they are released. Hope that helps!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.