SourceTree Security Advisory 2017-08-11

Still need help?

The Atlassian Community is here for you.

Ask the community

SourceTree - Remote Code Execution via Git and Mercurial.

Summary

Multiple CVEs - Remote Code Execution via Git and Mercurial - Remote Code Execution via command injection.

Advisory Release Date

 10 AM PDT (Pacific Time, -7 hours)

Product
  • SourceTree for macOS
  • SourceTree for Windows

Affected SourceTree Versions

  • SourceTree for macOS 1.0b2 <= version <  2.6.1
  • SourceTree for Windows 0.5.1.0 <= version < 2.1.10

Fixed SourceTree Versions

  • Versions of SourceTree for macOS equal to and above 2.6.1 contain a fix for this issue.
  • Versions of SourceTree for Windows equal to and above 2.1.10 contain a fix for this issue.
CVE ID(s)

Git: CVE-2017-1000117

Mercurial: CVE-2017-1000115, CVE-2017-1000116

SVN: CVE-2017-9800

 

Summary of Vulnerabilities

This advisory discloses critical severity security vulnerabilities which affect SourceTree for macOS and SourceTree for Windows.

Customers who have upgraded SourceTree for macOS to version 2.6.1 are not affected.

Customers who have upgraded SourceTree for Windows to version 2.1.10 are not affected.

Customers who have downloaded and installed SourceTree for macOS starting with 1.0b2 before version 2.6.1

Customers who have downloaded and installed SourceTree for Windows starting with 0.5.1.0 before version 2.1.10

Please upgrade your SourceTree for macOS or SourceTree for Windows installations immediately to fix the vulnerabilities mentioned in this advisory.

 

SourceTree for macOS and Windows - Remote Code Execution via Git and Mercurial - Multiple CVEs

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

Description

SourceTree for macOS and Windows are affected by vulnerabilities found in the Git and Mercurial software. This vulnerability can be triggered through a malicious repository when it is checked out using SourceTree.

From version 1.4.0 of SourceTree for macOS and 0.8.4b of SourceTree for Windows, this vulnerability can be triggered from a webpage through the use of the SourceTree URI handler.

Versions of SourceTree for macOS starting with 1.0b2 before version 2.6.1 are affected by this vulnerability. This issue can be tracked here.

Versions of SourceTree for Windows starting with 0.5.1.0 before version 2.1.10 are affected by this vulnerability. This issue can be tracked here.

 

What You Need to Do

Atlassian recommends that you upgrade to the latest version of SourceTree:

  • To version 2.6.1 or higher for macOS. 
    NOTE
    : Mac OSX 10.11 or later is requred for SourceTree 2.5.0 or later.
  • To version 2.1.10 or higher for Windows and manually uninstall any older versions of SourceTree.

For a full description of the latest version of SourceTree, see the release notes for macOS and Windows. You can download the latest versions of SourceTree from the SourceTree website.

If you have Apache Subversion(SVN) installed please update it to use a version containing a fix for CVE-2017-9800.


Support

Atlassian supports SourceTree through the Atlassian Community. If you have questions or concerns regarding this advisory, go to https://community.atlassian.com/t5/SourceTree/ct-p/sourcetree.

References

Severity Levels for security issuesAtlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.
Last modified on Aug 11, 2017

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.