CVE-2023-22524 - RCE Vulnerability in Atlassian Companion App for MacOS
要約 | CVE-2023-22524 - RCE Vulnerability in Atlassian Companion App for MacOS |
勧告のリリース日 | Tue, Dec 5 2023 21:00 PST |
製品 |
|
CVE ID | |
関連する Jira チケット |
脆弱性の概要
All versions of the Atlassian Companion App for MacOS up to but not including 2.0.0 are affected by a Remote Code Execution (RCE) vulnerability, CVE-2023-22524. An attacker could utilize WebSockets to bypass Atlassian Companion’s blocklist and MacOS Gatekeeper to allow the execution of code.
The Atlassian Companion App is an optional desktop application that can be installed on users' devices to enhance the file editing experience in Confluence Data Center and Server. It enables users to edit files in their preferred desktop application before automatically saving those files to their Confluence instances. See “What You Need To Do” for detailed instructions.
Note: If you are no longer using Confluence Data Center and Server and have the Atlassian Companion App installed, you may still be vulnerable. In this case, Atlassian recommends removing the Atlassian Companion App from your device.
This vulnerability affects the Atlassian Companion App only, not Confluence Data Center and Server or Cloud sites.
The Atlassian Companion App for Windows is not impacted by this vulnerability.
深刻度
Atlassian rates the severity level of this vulnerability as critical (9.6 with the vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) per our internal assessment. This is our assessment, and you should evaluate its applicability to your own IT environment.
影響を受けるバージョン
This RCE vulnerability affects all versions of Atlassian Companion App for MacOS, up to but not including version 2.0.0.
製品 | 影響を受けるバージョン |
|---|---|
Atlassian Companion App for MacOS | All versions (MacOS) up to but not including 2.0.0 are affected by the vulnerability. |
必要なアクション
The Atlassian Companion App for MacOS will update automatically during runtime. Atlassian recommends that you confirm the version installed is one of the listed fixed versions (or any later version) below.
The fixed versions mentioned below may be incompatible with your Confluence Data Center and Server instance. You can find more details on Confluence version compatibility here.
製品 | 修正済みバージョン |
|---|---|
Atlassian Companion App for MacOS |
|
If you are not a current Confluence Data Center and Server customer please take action to uninstall the Atlassian Companion App.
パッチを適用できない場合は、一時的な緩和策を適用してください
If the Atlassian Companion App for MacOS is not showing a fixed version, and you are unable to patch, you can completely mitigate this vulnerability by uninstalling the Atlassian Companion App.
Frequently Asked Questions (FAQ)
More details can be found on the Frequently Asked Questions (FAQ) page.
サポート
If you did not receive an email for this advisory and you wish to receive such emails in the future, go to https://my.atlassian.com/email and subscribe to Alerts emails. If you have questions or concerns regarding this advisory that aren’t answered in the FAQ, please raise a support request at Atlassian Support.
参考
As per our new policy, critical security bug fixes will be back ported in accordance with バイナリ パッチのリリースは終了しています。 | |
Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can learn more about CVSS at FIRST.org. | |
Our end of life policy varies for different products. Please refer to our EOL Policy for details. |
