Details
-
Public Security Vulnerability
-
Resolution: Fixed
-
Highest
-
Companion-1.0.0, Companion-1.1.0, Companion-1.2.0, Companion-1.2.2, Companion-1.2.3, Companion-1.2.4, Companion-1.2.5, Companion-1.2.6, Companion-1.3.0, Companion-1.3.1, Companion-1.4.1, companion-1.4.2, Companion-1.4.3, Companion-1.4.4, Companion-1.4.5, Companion-1.4.6, Companion-1.6.0, Companion-1.5.0, Companion-1.6.1
-
None
-
9.6
-
Critical
-
CVE-2023-22524
-
Atlassian (Internal)
-
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
-
RCE (Remote Code Execution)
Description
All versions of the Atlassian Companion App for MacOS up to but not including 2.0.0 are affected by a Remote Code Execution (RCE) vulnerability, CVE-2023-22524. An attacker could utilize WebSockets to bypass Atlassian Companion’s blocklist and MacOS Gatekeeper to allow the execution of code.
The Atlassian Companion App is an optional desktop application that can be installed on users' devices to enhance the file editing experience in Confluence Data Center and Server. It enables users to edit files in their preferred desktop application before automatically saving those files to their Confluence instances. See “What You Need To Do” for detailed instructions.
Note: If you are no longer using Confluence Data Center and Server and have the Atlassian Companion App installed, you may still be vulnerable. In this case, Atlassian recommends removing the Atlassian Companion App from your device.
This vulnerability affects the Atlassian Companion App only, not Confluence Data Center and Server or Cloud sites.
The Atlassian Companion App for Windows is not impacted by this vulnerability.