Atlassian Companion App for MacOS: Critical RCE Vulnerability Found, Patch Now

A critical Remote Code Execution (RCE) vulnerability, tracked as CVE-2023-22524 (CVSS score of 9.6), has been discovered in the Atlassian Companion App for MacOS. This vulnerability allows an attacker to execute arbitrary code on an affected macOS device. All versions of the Atlassian Companion App for MacOS up to but not including 2.0.0 are vulnerable.

What is Atlassian Companion App?

The Atlassian Companion App is an optional desktop application that can be installed on users’ macOS devices to enhance the file editing experience in the Confluence Data Center and Server. It enables users to edit files in their preferred desktop application before automatically saving those files to their Confluence instances.

What is the Vulnerability?

This RCE vulnerability exists in the Atlassian Companion App’s communication with Atlassian Confluence. It allows an attacker to bypass Atlassian Companion’s blocklist and macOS Gatekeeper to execute code on an affected device.

Who is Affected?

CVE-2023-22524 affects all versions of the Atlassian Companion App for MacOS, up to but not including version 2.0.0.

What Should I Do?

Atlassian strongly recommends that all affected Atlassian Companion App for MacOS installations is updated to the latest version 2.0.0 or later.

How to Patch

The Atlassian Companion App for MacOS will update automatically during runtime. To confirm the installed version, follow these steps:

• Open the Atlassian Companion App.
• Click on the “Companion” menu in the top menu bar.
• Select “About Atlassian Companion.”
• The installed version will be displayed in the About window.

Temporary Mitigation

If you are unable to patch it immediately, you can completely mitigate this vulnerability by uninstalling the Atlassian Companion App for MacOS.