CVE-2023-22524
Published: 06 December 2023
Summary
CVE-2023-22524 is a critical-severity an unspecified weakness vulnerability in Atlassian Companion. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 3.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability CVE-2023-22524 is a remote code execution flaw in certain versions of the Atlassian Companion App for macOS. It stems from improper handling that permits WebSockets to circumvent the app’s blocklist and macOS Gatekeeper, resulting in unauthorized code execution on the host system.
An unauthenticated remote attacker can exploit the issue over the network without user interaction to obtain arbitrary code execution, yielding full control over confidentiality, integrity, and availability of the affected macOS endpoint.
Atlassian security advisories referenced at the listed URLs address the vulnerability and outline remediation guidance for impacted Companion App versions. The EPSS score has remained in the 0.32–0.35 range without a pronounced post-disclosure climb.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-26664
Vulnerability details
Certain versions of the Atlassian Companion App for MacOS were affected by a remote code execution vulnerability. An attacker could utilize WebSockets to bypass Atlassian Companion’s blocklist and MacOS Gatekeeper to allow execution of code.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.