Sourcetree Security Advisory 2019-03-06
March 2019 Sourcetree Advisory - Multiple Remote Code Execution Vulnerabilities
Summary | March 2019 Sourcetree Advisory - Multiple Remote Code Execution Vulnerabilities |
---|---|
Advisory Release Date | 06 Mar 2019 10:00 AM PDT (Pacific Time, -7 hours) |
Products |
|
Affected Sourcetree Versions |
|
Fixed Sourcetree Versions |
|
CVE ID(s) |
|
Summary of Vulnerabilities
This advisory discloses three critical severity security vulnerabilities in Sourcetree for macOS and Sourcetree for Windows.
Versions of Sourcetree for macOS starting with 1.2 before 3.1.1, and versions of Sourcetree for Windows starting with 0.5a before 3.0.17 are affected by one or more of these vulnerabilities.
Customers who have upgraded to Sourcetree for macOS version 3.1.1 or Sourcetree for Windows version 3.0.17 are not affected. |
Customers who have downloaded and installed Sourcetree for macOS before version 3.1.1 or Sourcetree for Windows before version 3.0.17 are affected. Please upgrade your Sourcetree installations immediately to fix this vulnerability. |
Mercurial hooks vulnerability - CVE-2018-20234 and CVE-2018-20235
Severity
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate how it applies to your own IT environment.
Description
Sourcetree for macOS before version 3.1.1 and Sourcetree for Windows before version 3.0.15 were vulnerable to CVE-2018-20234 and CVE-2018-20235 respectively. A remote attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS or Windows is able to exploit this issue to gain code execution on the system.
Versions of Sourcetree for macOS starting with 1.2 before version 3.1.1 are affected by this vulnerability. This issue can be tracked here:
SRCTREE-6391 - Argument Injection via Mercurial hooks in Sourcetree for macOS - CVE-2018-20234 CLOSED
Versions of Sourcetree for Windows starting with 0.5a before version 3.0.15 are affected by this vulnerability. This issue can be tracked here:
SRCTREEWIN-11289 - Argument Injection via Mercurial hooks in Sourcetree for Windows - CVE-2018-20235 CLOSED
Acknowledgements
Credit for finding this vulnerability goes to Terry Zhang (pnig0s) at Tophant.
Fix
We have taken the following steps to address this issue:
Released Sourcetree for Windows version 3.0.15 that contains a fix for this issue.
Released Sourcetree for macOS version 3.1.1 that contains a fix for this issue.
Git submodules vulnerability - CVE-2018-17456
Severity
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate how it applies to your own IT environment.
Description
Sourcetree for macOS before version 3.1.1 and Sourcetree for Windows before version 3.0.17 were both vulnerable to CVE-2018-17456. A remote attacker with permission to commit to a git repository linked in Sourcetree for macOS or Windows is able to exploit this issue to gain code execution on the system.
Versions of Sourcetree for macOS starting with 1.2 before version 3.1.1 are affected by this vulnerability. This issue can be tracked here:
SRCTREE-6394 - Input validation vulnerability via Git in Sourcetree for Mac - CVE-2018-17456CLOSEDVersions of Sourcetree for Windows starting with 0.5a before version 3.0.17 are affected by this vulnerability. This issue can be tracked here:
SRCTREEWIN-11292 - Input validation vulnerability via Git in Sourcetree for Windows - CVE-2018-17456 CLOSED
Acknowledgements
Credit for finding this vulnerability goes to Terry Zhang (pnig0s) at Tophant.
Fix
We have taken the following steps to address this issue:
Released Sourcetree for macOS version 3.1.1 that contains a fix for this issue.
Released Sourcetree for Windows version 3.0.17 that contains a fix for this issue.
URI handling vulnerability - CVE-2018-20236
Severity
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate how it applies to your own IT environment.
Description
Sourcetree for Windows before version 3.0.10 was vulnerable to CVE-2018-20236. A remote attacker able to send a URI to a Sourcetree for Windows user is able to exploit this issue to gain code execution on the system.
Versions of Sourcetree for Windows starting with 0.5a before version 3.0.10 are affected by this vulnerability. This issue can be tracked here:
SRCTREEWIN-11291 - Command Injection via URI handling in Sourcetree for Windows - CVE-2018-20236 CLOSED
Acknowledgements
Credit for finding this vulnerability goes to Terry Zhang (pnig0s) at Tophant.
Fix
We have taken the following steps to address this issue:
Released Sourcetree for Windows version 3.0.10 that contains a fix for this issue.
What You Need to Do
Upgrade Sourcetree for Windows to version 3.0.17 or higher.
Upgrade Sourcetree for macOS to version 3.1.1 or higher.
Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Sourcetree for macOS, see the release notes. For a full description of the latest version of Sourcetree for Windows, see the release notes. You can download the latest version of Sourcetree from the Sourcetree website.
Support
If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails.
If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.
References
Our SLAs and guarantees for bugfixes. | |
Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org. | |
Our end of life policy varies for different products. Please refer to the policy for details. |