Atlassian Companion 1.2.2 - Remote Code Execution

Disclosed by
matt
  • Engagement Atlassian
  • Disclosed date almost 3 years ago
  • Points 10
  • Priority P3 Bugcrowd's VRT priority rating
  • Status Resolved This vulnerability has been accepted and fixed
Summary by Atlassian

Remote code execution vulnerability in Atlassian Companion

Summary by matt

Atlassian Companion is a desktop app that lets you edit files with a program on your computer, then easily re-upload them to Confluence. The Atlassian Companion app hosts a local websocket server to communicate with the page.

The Confluence site sends the extension to the local app to determine what application to open for editing.

For windows the following is blocked: .com;.exe;.bat;.cmd;.vbs;.vbe;.js;.jse;.wsf;.wsh;.msc;.com;.exe;.bat;.cmd;.vbs;.vbe;.js;.jse;.wsf;.wsh;.msc

However the following extensions are allowed and can execute arbitrary commends when opened:
Window: .msi, lnk, chm, hta
MacOs: .terminal file. (this is a setting file for the terminal that has a section for a startup script). Other file types like pkg, tool, term, will also work.

It was possible to force the application to open one of these unsafe file types, resulting in remote code execution.

Activity