CVE-2024-23755 - Vulnerability in ClickUp Desktop Applications | Arbitrary Code Execution in ClickUp application for MacOS and Windows

OVERVIEW

This advisory addresses a vulnerability in the Desktop Application of the affected versions that could potentially allow a successful attacker to execute code causing sensitive data disclosure.

ClickUp Desktop before 3.3.77 on macOS and Windows allows code injection because of specific Electron Fuses. There is inadequate protection against code injection through settings such as RunAsNode.

ClickUp is not aware of any exploitation of this vulnerability.

ClickUp investigates all reports of security vulnerabilities affecting the ClickUp services. A Security Advisory Note will be issued once the analysis is complete and the software update is made available. Installing the recommended update(s) in this advisory will help maintain the security of your ClickUp services.

Vulnerability Information

VULNERABILITY INFORMATION

Vulnerability CategoriesVulnerability Details
CVE IdentifierCVE-2024-23755
Vulnerability TypeArbitrary Code Execution
CVSS Score8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Product(s)- ClickUp for macOS Intel. Version 3.3.76 and previous. Fix introduced in 3.3.77.
- ClickUp for macOS arm64. Version 3.3.76 and previous. Fix introduced in 3.3.77.
- ClickUp for Windows. Version 3.3.76 and previous. Fix introduced in 3.3.77.
Affected Component(s)ClickUp Desktop App for macOS and Windows
Non-Affected Component(s)N/A
Who Should Read This Advisory / Apply Software Update(s)Administrators and End users who maintain or support affected ClickUp Desktop Application
Requirements for Attacker to be SuccessfulIn order to exploit this vulnerability, an attacker must run a malicious application on the end user's machine with the affected software installed.
Impact if Requirements are metWithout the gate check, an attacker who runs the malicious code, may be able to gain access to sensitive information for non-privileged processes
MitigationsThis issue is mitigated by the requirement that an attacker must have local access to the target system.
Workaround(s) / Recommendation(s)All workarounds should be considered temporary measures. BlackBerry recommends that customers install the latest update(s) to protect their systems. There are no workarounds for this vulnerability.
Software Update(s)ClickUp Desktop Applications 3.3.79 and greater are available through the ClickUp Download Centre at https://clickup.com/download

Definitions

DEFINITIONS

CVE 

Common Vulnerabilities and Exposures is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation.

CVSS 

Common Vulnerability Scoring System is a vendor agnostic, industry open standard designed to convey the severity of a vulnerability. CVSS scores may be used to determine the urgency for update deployment within an organization and can range from 0.0 (no vulnerability) to 10.0 (critical). ClickUp uses CVSSv3 in vulnerability assessments to present an immutable characterization of security vulnerabilities. ClickUp assigns all relevant security vulnerabilities a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics.

Mitigations 

Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations and general best practices.  Workarounds  Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack.

ACKNOWLEDGEMENTS

ClickUp would like to thank Mykola Grymalyuk of RIPEDA Consulting for their involvement in helping protect our customers.

TIMELINE

  • Email received - December 23, 2023
  • Reply to security researcher - December 27, 2023
  • Issue accepted - December 27, 2023
  • CVE number requested - January 9, 2024
  • Issue fixed and available to customers - January 16, 2024
  • CVE number received - January 25, 2024
  • Published SAN - 8 Mar, 2024

CHANGE LOG

8 Mar, 2024
Initial Publication

FIRST PUBLISHED DATE

8 Mar, 2024

LAST MODIFIED DATE

19 Mar, 2024

One app to replace them all

24/7 support

Weekly updates

Secure and compliant

99.9% uptime