CVE-2023-22524 - RCE Vulnerability in Atlassian Companion App for MacOS
Summary | CVE-2023-22524 - RCE Vulnerability in Atlassian Companion App for MacOS |
Advisory Release Date | Tue, Dec 5 2023 21:00 PST |
Products |
|
CVE ID | |
Related Jira Ticket(s) |
Summary of Vulnerability
All versions of the Atlassian Companion App for MacOS up to but not including 2.0.0 are affected by a Remote Code Execution (RCE) vulnerability, CVE-2023-22524. An attacker could utilize WebSockets to bypass Atlassian Companion’s blocklist and MacOS Gatekeeper to allow the execution of code.
The Atlassian Companion App is an optional desktop application that can be installed on users' devices to enhance the file editing experience in Confluence Data Center and Server. It enables users to edit files in their preferred desktop application before automatically saving those files to their Confluence instances. See “What You Need To Do” for detailed instructions.
Note: If you are no longer using Confluence Data Center and Server and have the Atlassian Companion App installed, you may still be vulnerable. In this case, Atlassian recommends removing the Atlassian Companion App from your device.
This vulnerability affects the Atlassian Companion App only, not Confluence Data Center and Server or Cloud sites.
The Atlassian Companion App for Windows is not impacted by this vulnerability.
Severity
Atlassian rates the severity level of this vulnerability as critical (9.6 with the vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) per our internal assessment. This is our assessment, and you should evaluate its applicability to your own IT environment.
Affected Versions
This RCE vulnerability affects all versions of Atlassian Companion App for MacOS, up to but not including version 2.0.0.
Product | Affected Versions |
---|---|
Atlassian Companion App for MacOS | All versions (MacOS) up to but not including 2.0.0 are affected by the vulnerability. |
What You Need To Do
The Atlassian Companion App for MacOS will update automatically during runtime. Atlassian recommends that you confirm the version installed is one of the listed fixed versions (or any later version) below.
The fixed versions mentioned below may be incompatible with your Confluence Data Center and Server instance. You can find more details on Confluence version compatibility here.
Product | Fixed Versions |
---|---|
Atlassian Companion App for MacOS |
|
If you are not a current Confluence Data Center and Server customer please take action to uninstall the Atlassian Companion App.
Apply temporary mitigations if unable to patch
If the Atlassian Companion App for MacOS is not showing a fixed version, and you are unable to patch, you can completely mitigate this vulnerability by uninstalling the Atlassian Companion App.
Frequently Asked Questions (FAQ)
More details can be found on the Frequently Asked Questions (FAQ) page.
Support
If you did not receive an email for this advisory and you wish to receive such emails in the future, go to https://my.atlassian.com/email and subscribe to Alerts emails. If you have questions or concerns regarding this advisory that aren’t answered in the FAQ, please raise a support request at Atlassian Support.
References
As per our new policy, critical security bug fixes will be back ported in accordance with Security Bugfix Policy | Atlassian. We will release new maintenance releases for the versions covered by the policy instead of binary patches. Binary patches are no longer released. | |
Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can learn more about CVSS at FIRST.org. | |
Our end of life policy varies for different products. Please refer to our EOL Policy for details. |