Sourcetree Security Advisory 2018-04-25

Still need help?

The Atlassian Community is here for you.

Ask the community

Sourcetree - Argument injection via Mercurial tag names on Windows - CVE-2018-5226

Summary

CVE-2018-5226 - Argument injection through the name of a tag for Windows

Advisory Release Date

 10:00 AM PDT (Pacific Time, -7 hours)

ProductSourcetree for Windows

Affected Sourcetree Versions

    • All versions of SourceTree for Windows before version 2.5.5.0

Fixed Sourcetree Versions

    • Sourcetree for Windows version 2.5.5.0 and later.
CVE ID(s)CVE-2018-5226


Summary of Vulnerability

This advisory discloses a critical severity security vulnerability which affects Sourcetree for Window before 2.5.5.0 (the fixed version). 


Customers who have upgraded Sourcetree for Windows to version 2.5.5.0 and later are not affected.

Customers using Sourcetree for Mac are not affected.

Customers who have downloaded and installed Sourcetree for Windows before version 2.5.5.0


Please upgrade your Sourcetree installations to fix this vulnerability.


Argument injection via Mercurial tag names on Windows (CVE-2018-5226)

Severity

We have rated this a critical severity vulnerability as measured by the Atlassian severity levels scale. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT environment.


Description

There was an argument injection vulnerability in Sourcetree for Windows via Mercurial repository tag name that is going to be deleted. An attacker with permission to create a tag on a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system.

All versions of Sourcetree for Windows before 2.5.5.0 are affected by this vulnerability. This issue can be tracked here: https://jira.atlassian.com/browse/SRCTREEWIN-8509

Acknowledgements

Atlassian would like to credit Tianqi Zhang@Tophant for reporting this issue to us.

Mitigation

There is no known mitigation for this issue.

Fix

We have taken the following steps to address this issue:

  1. Released Sourcetree version 2.5.5.0 that contains a fix for this issue which can be downloaded from https://downloads.atlassian.com/software/sourcetree/windows/ga/SourceTreeSetup-2.5.5.exe and https://downloads.atlassian.com/software/sourcetree/windows/ga/SourcetreeEnterpriseSetup_2.5.5.msi.

What You Need to Do

Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Sourcetree, see the release notes for Windows. You can download the latest version of Sourcetree from the Sourcetree website.


Support

Atlassian supports SourceTree through the Atlassian Community. If you have questions or concerns regarding this advisory, go to https://community.atlassian.com/t5/SourceTree/ct-p/sourcetree.

References

Severity Levels for security issuesAtlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.
Last modified on Jul 9, 2018

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.