On February 5th, Asana received information from a third-party researcher regarding an issue in the Asana desktop app, whereby a malicious actor could have compromised the Asana Desktop application by allowing the attacker to read files from a computer running the Asana application.
In principle, the issue could have allowed an attacker to read files from a computer running the Asana app. We have no evidence that anyone has exploited this issue.
We have fixed this issue in version 1.6.0 of the desktop app, released on February 9th. If you still have a vulnerable version of the desktop app, it will automatically prompt you to upgrade. If you are unsure you can download the new version of the app from Download the Asana App for Mobile and Desktop • Asana. All users of the Asana desktop app are strongly encouraged to upgrade to the newest version (1.6.0) which fixes this issue. Users who do not use the desktop app are unaffected.
If you have any follow-up question or require assistance please reach out to our support team.
Thank you to security researcher Hector “p3rr0” Peralta for telling us about this issue. This issue has been assigned CVE-2022-26877.