Login Sign Up

CVE-2023-22524

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on macOS systems running vulnerable versions of the Atlassian Companion App. Attackers can bypass the app's blocklist and macOS Gatekeeper protections via WebSockets. Affected users are those running the Atlassian Companion App on macOS.

💻 Affected Systems

Products:
  • Atlassian Companion App
Versions: Versions before 2.2.0
Operating Systems: macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects macOS version of Atlassian Companion App. Requires app to be installed and running.

📦 What is this software?

Companion by Atlassian

View all CVEs affecting Companion →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attacker to install malware, steal data, pivot to other systems, and maintain persistent access.

🟠

Likely Case

Attacker gains initial foothold on target system, potentially leading to data exfiltration or ransomware deployment.

🟢

If Mitigated

Attack prevented through patching or workarounds, with minimal to no impact on systems.

🌐 Internet-Facing: HIGH - WebSocket-based attack can be triggered remotely without user interaction in certain scenarios.
🏢 Internal Only: HIGH - Internal attackers or compromised internal systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

WebSocket-based attack bypasses multiple security controls. No authentication required for exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.0 and later

Vendor Advisory: https://confluence.atlassian.com/security/cve-2023-22524-rce-vulnerability-in-atlassian-companion-app-for-macos-1319249492.html

Restart Required: Yes

Instructions:

1. Open Atlassian Companion App. 2. Check for updates in app settings. 3. Update to version 2.2.0 or later. 4. Restart the application.

🔧 Temporary Workarounds

Uninstall Atlassian Companion App

macos

Remove the vulnerable application entirely to eliminate the attack surface.

sudo rm -rf /Applications/Atlassian\ Companion.app
rm -rf ~/Library/Application\ Support/Atlassian\ Companion

Disable WebSocket connections

macos

Block WebSocket traffic to the Atlassian Companion App using firewall rules.

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/Atlassian\ Companion.app/Contents/MacOS/Atlassian\ Companion
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --block /Applications/Atlassian\ Companion.app/Contents/MacOS/Atlassian\ Companion

🧯 If You Can't Patch

  • Uninstall the Atlassian Companion App immediately
  • Implement network segmentation to isolate systems with the vulnerable app

🔍 How to Verify

Check if Vulnerable:

Check Atlassian Companion App version in About section or via: mdls -name kMDItemVersion /Applications/Atlassian\ Companion.app

Check Version:

mdls -name kMDItemVersion /Applications/Atlassian\ Companion.app

Verify Fix Applied:

Confirm version is 2.2.0 or higher using: mdls -name kMDItemVersion /Applications/Atlassian\ Companion.app

📡 Detection & Monitoring

Log Indicators:

  • Unusual WebSocket connections to Atlassian Companion process
  • Process execution from unexpected locations
  • Gatekeeper bypass attempts in system logs

Network Indicators:

  • WebSocket traffic to Atlassian Companion App on non-standard ports
  • Unusual outbound connections from Atlassian Companion process

SIEM Query:

process_name:"Atlassian Companion" AND (event_type:process_execution OR event_type:network_connection)

📊 Metadata

CVE ID: CVE-2023-22524
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: December 6, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON