Cyber Resilience

CVE-2023-22524

Critical

Published: 06 December 2023

Published
06 December 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3202 96.9th percentile
Risk Priority 39 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-22524 is a critical-severity an unspecified weakness vulnerability in Atlassian Companion. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 3.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability CVE-2023-22524 is a remote code execution flaw in certain versions of the Atlassian Companion App for macOS. It stems from improper handling that permits WebSockets to circumvent the app’s blocklist and macOS Gatekeeper, resulting in unauthorized code execution on the host system.

An unauthenticated remote attacker can exploit the issue over the network without user interaction to obtain arbitrary code execution, yielding full control over confidentiality, integrity, and availability of the affected macOS endpoint.

Atlassian security advisories referenced at the listed URLs address the vulnerability and outline remediation guidance for impacted Companion App versions. The EPSS score has remained in the 0.32–0.35 range without a pronounced post-disclosure climb.

EU & UK References

Vulnerability details

Certain versions of the Atlassian Companion App for MacOS were affected by a remote code execution vulnerability. An attacker could utilize WebSockets to bypass Atlassian Companion’s blocklist and MacOS Gatekeeper to allow execution of code.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

atlassian
companion
1.0.0 — 2.0.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References