Sourcetree Security Advisory 2018-04-25
Sourcetree - Argument injection via Mercurial tag names on Windows - CVE-2018-5226
CVE-2018-5226 - Argument injection through the name of a tag for Windows
|Advisory Release Date|
10:00 AM PDT (Pacific Time, -7 hours)
|Product||Sourcetree for Windows|
Affected Sourcetree Versions
Fixed Sourcetree Versions
Summary of Vulnerability
This advisory discloses a critical severity security vulnerability which affects Sourcetree for Window before 126.96.36.199 (the fixed version).
Customers who have upgraded Sourcetree for Windows to version 188.8.131.52 and later are not affected.
Customers using Sourcetree for Mac are not affected.
Customers who have downloaded and installed Sourcetree for Windows before version 184.108.40.206
Please upgrade your Sourcetree installations to fix this vulnerability.
Argument injection via Mercurial tag names on Windows (CVE-2018-5226)
We have rated this a critical severity vulnerability as measured by the Atlassian severity levels scale. The scale allows us to rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT environment.
There was an argument injection vulnerability in Sourcetree for Windows via Mercurial repository tag name that is going to be deleted. An attacker with permission to create a tag on a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system.
All versions of Sourcetree for Windows before 220.127.116.11 are affected by this vulnerability. This issue can be tracked here: https://jira.atlassian.com/browse/SRCTREEWIN-8509
Atlassian would like to credit Tianqi Zhang@Tophant for reporting this issue to us.
There is no known mitigation for this issue.
We have taken the following steps to address this issue:
- Released Sourcetree version 18.104.22.168 that contains a fix for this issue which can be downloaded from https://downloads.atlassian.com/software/sourcetree/windows/ga/SourceTreeSetup-2.5.5.exe and https://downloads.atlassian.com/software/sourcetree/windows/ga/SourcetreeEnterpriseSetup_2.5.5.msi.
What You Need to Do
Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Sourcetree, see the release notes for Windows. You can download the latest version of Sourcetree from the Sourcetree website.
Atlassian supports SourceTree through the Atlassian Community. If you have questions or concerns regarding this advisory, go to https://community.atlassian.com/t5/SourceTree/ct-p/sourcetree.
|Severity Levels for security issues||Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.|