CVE-2023-22524: CVE-2023-22524 - RCE Vulnerability in Atlassian Companion App for MacOS | Atlassian Support

Summary

CVE-2023-22524 - RCE Vulnerability in Atlassian Companion App for MacOS

Advisory Release Date

Tue, Dec 5 2023 21:00 PST

Products

• Atlassian Companion App for MacOS for

  • Confluence Server

  • Confluence Data Center

CVE ID

CVE-2023-22524

Related Jira Ticket(s)

CONFSERVER-93518

Summary of Vulnerability

All versions of the Atlassian Companion App for MacOS up to but not including 2.0.0 are affected by a Remote Code Execution (RCE) vulnerability, CVE-2023-22524. An attacker could utilize WebSockets to bypass Atlassian Companion’s blocklist and MacOS Gatekeeper to allow the execution of code.

The Atlassian Companion App is an optional desktop application that can be installed on users’ devices to enhance the file editing experience in Confluence Data Center and Server. It enables users to edit files in their preferred desktop application before automatically saving those files to their Confluence instances. See “What You Need To Do” for detailed instructions.

Note: If you are no longer using Confluence Data Center and Server and have the Atlassian Companion App installed, you may still be vulnerable. In this case, Atlassian recommends removing the Atlassian Companion App from your device.

This vulnerability affects the Atlassian Companion App only, not Confluence Data Center and Server or Cloud sites.

The Atlassian Companion App for Windows is not impacted by this vulnerability.

Severity

Atlassian rates the severity level of this vulnerability as critical (9.6 with the vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) per our internal assessment. This is our assessment, and you should evaluate its applicability to your own IT environment.

Affected Versions

This RCE vulnerability affects all versions of Atlassian Companion App for MacOS, up to but not including version 2.0.0.

Product

Affected Versions

Atlassian Companion App for MacOS

All versions (MacOS) up to but not including 2.0.0 are affected by the vulnerability.

What You Need To Do

The Atlassian Companion App for MacOS will update automatically during runtime. Atlassian recommends that you confirm the version installed is one of the listed fixed versions (or any later version) below.

The fixed versions mentioned below may be incompatible with your Confluence Data Center and Server instance. You can find more details on Confluence version compatibility here.

Product

Fixed Versions

Atlassian Companion App for MacOS

• 2.0.0 or later

If you are not a current Confluence Data Center and Server customer please take action to uninstall the Atlassian Companion App.

Apply temporary mitigations if unable to patch

If the Atlassian Companion App for MacOS is not showing a fixed version, and you are unable to patch, you can completely mitigate this vulnerability by uninstalling the Atlassian Companion App.

Frequently Asked Questions (FAQ)

More details can be found on the Frequently Asked Questions (FAQ) page.

Support

If you did not receive an email for this advisory and you wish to receive such emails in the future, go to https://my.atlassian.com/email and subscribe to Alerts emails. If you have questions or concerns regarding this advisory that aren’t answered in the FAQ, please raise a support request at Atlassian Support.

References

Security Bug fix Policy

As per our new policy, critical security bug fixes will be back ported in accordance with Security Bugfix Policy | Atlassian. We will release new maintenance releases for the versions covered by the policy instead of binary patches.

Binary patches are no longer released.

Severity Levels for security issues

Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can learn more about CVSS at FIRST.org.

End of Life Policy

Our end of life policy varies for different products. Please refer to our EOL Policy for details.