SourceTree Security Advisory 2017-05-10

SourceTree - Command Injection - CVE-2017-8768

Note: As of September 2014 we are no longer issuing binary bug patches, instead we create new maintenance releases for the major versions we are backporting.

Summary

CVE-2017-8768 - Command Injection
Advisory Release Date

 10:00 AM PDT (Pacific Time, -7 hours)
Products
  • SourceTree for Mac
  • SourceTree for Windows

Affected SourceTree Versions
  • SourceTree for Mac 1.4.0 <= version < 2.5.1 
  • SourceTree for Windows 0.8.4b <= version < 2.0.20.1

Fixed SourceTree Versions
  • Versions of SourceTree for Mac equal to and above 2.5.1 contain a fix for this issue.
  • Versions of SourceTree for Windows equal to and above 2.0.20.1 contain a fix for this issue.
CVE ID(s)
  • CVE-2017-8768


Summary of Vulnerability

This advisory discloses a critical security vulnerability in versions of SourceTree for Mac starting with 1.4.0 but before 2.5.1 and SourceTree for Windows starting with 0.8.4b but before 2.0.20.1.

Customers who have upgraded SourceTree for Mac to version 2.5.1 are not affected.

Customers who have upgraded SourceTree for Windows to version 2.0.20.1 are not affected.

Customers who have downloaded and installed SourceTree for Mac starting with 1.4.0 but before 2.5.1 (the fixed version for 2.5.x)

Customers who have downloaded and installed SourceTree for Windows starting with 0.8.4b but before 2.0.20.1 (the fixed version for 2.0.x)

Please upgrade SourceTree to the latest version to fix this vulnerability.

Command Injection (CVE-2017-8768)

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT environment.

Description

SourceTree for Mac and Windows are affected by a command injection vulnerability in URI handling. The vulnerability can be triggered through a browser or the SourceTree interface.

Versions of SourceTree for Mac starting with 1.4.0 but before 2.5.1 are affected by this vulnerability. This issue can be tracked here.

Versions of SourceTree for Windows starting with 0.8.4b but before 2.0.20.1 are affected by this vulnerability. This issue can be tracked here.

What You Need to Do

Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of SourceTree, see the release notes for Mac and Windows. You can download the latest versions of SourceTree from the SourceTree website.

Upgrade SourceTree for Mac to version 2.5.1 or higher. Please note that since SourceTree for Mac 2.5.0 Mac OSX 10.11 or later is required.

Upgrade SourceTree for Windows to version 2.0.20.1 or higher.

Support

If you did not receive an email for this advisory and wish to receive such emails in the future, please go to https://my.atlassian.com/email and subscribe to "Product information & updates" for SourceTree. To receive advisories for our other products, please go to https://my.atlassian.com/email and subscribe to relevant alerts.

If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.

Acknowledgements

Atlassian would like to credit Yu Hong for reporting this issue to us.

References

Severity Levels for security issues Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.

Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

Have a question about this article?

Ask our community
Powered by Confluence and Scroll Viewport