Sourcetree Security Advisory 2019-03-06

Still need help?

The Atlassian Community is here for you.

Ask the community

March 2019 Sourcetree Advisory - Multiple Remote Code Execution Vulnerabilities

Summary

March 2019 Sourcetree Advisory - Multiple Remote Code Execution Vulnerabilities

Advisory Release Date

06 Mar 2019 10:00 AM PDT (Pacific Time, -7 hours)

Products

  • Sourcetree for macOS

  • Sourcetree for Windows

Affected Sourcetree Versions

  • Sourcetree for macOS 1.2 <= version < 3.1.1

    Affected versions: Sourcetree for macOS

    3.1.0
    3.1b1
    3.0
    3.0.1
    3.0b7
    3.0b6
    3.0b5
    3.0b4
    3.0b3
    3.0b2
    3.0b1
    2.7.6
    2.7.5
    2.7.4
    2.7.3
    2.7.2
    2.7.2b2
    2.7.1b2
    2.7.1b1
    2.4.7.0
    2.7
    2.7b3
    2.7b2
    2.7b1
    2.6.3
    2.6.2
    2.6.1
    2.6
    2.5.3
    2.5.2
    2.5.1
    2.5
    2.4.1
    2.4
    2.3.2
    2.3.1
    2.3
    2.2.4
    2.2.3
    2.2.2
    2.2.1
    2.2
    2.0.5.8
    2.0.5.7
    2.0.5.6
    2.0.5.5
    2.0.5.4
    2.0.5.2
    2.0.5
    2.0.4
    2.0.3
    2.0.2
    2.0.1
    2.1
    2.0.0
    1.9.8
    1.9.7
    1.9.5.2
    1.9.5.1
    1.9.6
    1.9.4.1
    1.9.5
    1.9.3.1
    1.9.4
    1.9.3
    1.9.2
    1.9.1
    1.8.3
    1.8.2
    1.8.0.3
    1.8.1
    1.8.0.2
    1.8.0.1
    1.9.0
    1.7.5
    1.7.4.1
    1.7.4
    1.7.3
    1.7.2
    1.7.1
    1.6.4.1
    1.6.2.2
    1.6.2.1
    1.6.3.1
    1.8.0
    1.6.2
    1.6.0
    1.6.0.1
    1.6.1
    1.6.0b3
    1.6.0b2
    1.6.0b1
    1.7.0
    1.5.7.1
    1.5.8
    1.5.7
    1.5.5.1
    1.5.6
    1.5.5
    1.5.4
    1.5.3
    1.5.2
    1.5.1
    1.5.0b1
    1.6
    1.4.4
    1.4.3
    1.4.1.1
    1.4.2
    1.4.0b1
    1.4.1
    1.3.4
    1.3.3
    1.5.0
    1.3.1.1
    1.3.0
    1.3.2
    1.3.0b3
    1.3.0b2
    1.4.0
    1.3.1
    1.3.0b1
    1.2.9.1
    1.2.9
    1.2.8.1
    1.2.8
    1.2.4
    1.2.3
    1.2.2
    1.2.1
    1.2

  • Sourcetree for Windows 0.5a <= version < 3.0.17

    Affected versions: Sourcetree for Windows

    3.0.15-beta-2612
    3.0.15
    3.0.10
    3.0.12
    3.0.9
    3.0.9-beta-2351
    3.0.6
    3.0.8
    3.0.5
    3.0.3
    3.0.0-beta-2125
    3.0.0-beta-2101
    3.0.0-beta-1983
    3.0.0-beta-1962
    3.0.0-beta-1930
    2.6.9.
    2.6.9
    2.6.9-beta-0
    2.6.7
    2.6.6
    2.6.6-beta-0
    2.6.3
    2.6.3-beta-0
    2.6.1-beta-1
    2.6.0-beta-0
    2.5.5.0
    2.4.8.0
    2.4.7.0
    2.4.4-beta-0
    2.3.5.0
    2.3.1.0
    2.2.4.0
    2.1.7.0
    2.1.6-beta-0
    2.1.5-beta-0
    2.1.2.5
    2.1.4-beta-0
    2.1.2.4
    2.1.2.3
    2.0.12-beta-1
    1.10.23.1
    1.10.22.1
    1.10.21.1
    2.0.11-beta-1
    2.0.9-beta-1
    2.0.8-beta-1
    1.10.19.1
    1.10.20.1
    1.10.18.1
    1.10.15.4
    1.10.14-beta-2
    1.9.10.0
    1.9.9.20
    1.9.6.2
    1.9.7-beta-2
    1.9.7-beta-1
    1.9.6.1
    1.9.7-beta-0
    1.9.7
    1.9.6-beta-0
    1.9.6
    1.9.5.0
    1.9.4-beta-1
    1.9.4-beta-0
    1.10.0-alpha-1
    1.9.3-beta-1
    1.9.3-beta-0
    1.9.2-beta-1
    1.9.1-beta-1
    1.9.0-beta-5
    1.8.2.11
    1.8.2.3
    1.8.2.2
    1.8.3
    1.8.2
    1.8.1
    1.8.0.36401
    1.6.25
    1.6.24
    1.6.23
    1.6.22
    1.6.21
    1.6.20
    1.6.19
    1.6.18
    1.6.17
    1.6.16
    1.6.15004
    1.6.15003
    1.6.15001
    1.6.15
    1.6.14
    1.6.13002
    1.6.13001
    1.6.12002
    1.6.13
    1.6.12001
    1.6.12
    1.6.11
    1.6.10
    1.6.9
    1.6.9003
    1.6.9002
    1.6.9001
    1.6.8
    1.6.7
    1.6.6
    1.6.5
    1.7
    1.6.3
    1.6.4
    1.6.2
    1.6.1
    1.6
    1.5.2
    1.5.1
    1.4.1
    1.5.0
    1.4.0
    1.3.3
    1.3.2
    1.3.1
    1.3.0
    1.2.4
    1.2.3
    1.2.2
    1.2.1
    1.2.0
    1.1.1
    1.0.8
    1.0.7
    1.0.6
    1.0.5
    1.0.4
    1.0.3
    1.1
    1.0.2
    1.0.1
    0.9.4
    0.9.2.3
    0.9.2.2
    0.9.3
    0.9.2.1
    0.9.2
    0.9.1.2
    0.9.1.1
    0.9.0.6b
    0.9.0.5b
    0.9.0.4b
    0.9.0.3b
    0.9.0.2b
    0.9.1
    0.9.0.1b
    0.8.5b
    0.8.4b
    0.8.3b
    0.8.2b
    0.8.1b
    1.0.0
    0.9b
    0.8b
    0.5a

Fixed Sourcetree Versions

  • Sourcetree for macOS version 3.1.1 and higher.

  • Sourcetree for Windows version 3.0.17 and higher.

CVE ID(s)

  • CVE-2018-20234

  • CVE-2018-20235

  • CVE-2018-17456

  • CVE-2018-20236


Summary of Vulnerabilities

This advisory discloses three critical severity security vulnerabilities in Sourcetree for macOS and Sourcetree for Windows.

Versions of Sourcetree for macOS starting with 1.2 before 3.1.1, and versions of Sourcetree for Windows starting with 0.5a before 3.0.17 are affected by one or more of these vulnerabilities.

Customers who have upgraded to Sourcetree for macOS version 3.1.1 or Sourcetree for Windows version 3.0.17 are not affected.

Customers who have downloaded and installed Sourcetree for macOS before version 3.1.1 or Sourcetree for Windows before version 3.0.17 are affected.

Please upgrade your Sourcetree installations immediately to fix this vulnerability.

Mercurial hooks vulnerability - CVE-2018-20234 and CVE-2018-20235

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate how it applies to your own IT environment.

Description

Sourcetree for macOS before version 3.1.1 and Sourcetree for Windows before version 3.0.15 were vulnerable to CVE-2018-20234 and CVE-2018-20235 respectively. A remote attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS or Windows is able to exploit this issue to gain code execution on the system.

Versions of Sourcetree for macOS starting with 1.2 before version 3.1.1 are affected by this vulnerability. This issue can be tracked here:

SRCTREE-6391 - Argument Injection via Mercurial hooks in Sourcetree for macOS - CVE-2018-20234 CLOSED

Versions of Sourcetree for Windows starting with 0.5a before version 3.0.15 are affected by this vulnerability. This issue can be tracked here:

SRCTREEWIN-11289 - Argument Injection via Mercurial hooks in Sourcetree for Windows - CVE-2018-20235 CLOSED

Acknowledgements

Credit for finding this vulnerability goes to Terry Zhang (pnig0s) at Tophant.

Fix

We have taken the following steps to address this issue:

  1. Released Sourcetree for Windows version 3.0.15 that contains a fix for this issue.

  2. Released Sourcetree for macOS version 3.1.1 that contains a fix for this issue.

Git submodules vulnerability - CVE-2018-17456

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate how it applies to your own IT environment.

Description

Sourcetree for macOS before version 3.1.1 and Sourcetree for Windows before version 3.0.17 were both vulnerable to CVE-2018-17456. A remote attacker with permission to commit to a git repository linked in Sourcetree for macOS or Windows is able to exploit this issue to gain code execution on the system.

Versions of Sourcetree for macOS starting with 1.2 before version 3.1.1 are affected by this vulnerability. This issue can be tracked here:

SRCTREE-6394 - Input validation vulnerability via Git in Sourcetree for Mac - CVE-2018-17456CLOSEDVersions of Sourcetree for Windows starting with 0.5a before version 3.0.17 are affected by this vulnerability. This issue can be tracked here:

SRCTREEWIN-11292 - Input validation vulnerability via Git in Sourcetree for Windows - CVE-2018-17456 CLOSED

Acknowledgements

Credit for finding this vulnerability goes to Terry Zhang (pnig0s) at Tophant.

Fix

We have taken the following steps to address this issue:

  1. Released Sourcetree for macOS version 3.1.1 that contains a fix for this issue.

  2. Released Sourcetree for Windows version 3.0.17 that contains a fix for this issue.

URI handling vulnerability - CVE-2018-20236

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate how it applies to your own IT environment.

Description

Sourcetree for Windows before version 3.0.10 was vulnerable to CVE-2018-20236. A remote attacker able to send a URI to a Sourcetree for Windows user is able to exploit this issue to gain code execution on the system.

Versions of Sourcetree for Windows starting with 0.5a before version 3.0.10 are affected by this vulnerability. This issue can be tracked here:

SRCTREEWIN-11291 - Command Injection via URI handling in Sourcetree for Windows - CVE-2018-20236 CLOSED

Acknowledgements

Credit for finding this vulnerability goes to Terry Zhang (pnig0s) at Tophant.

Fix

We have taken the following steps to address this issue:

  1. Released Sourcetree for Windows version 3.0.10 that contains a fix for this issue.

What You Need to Do

Upgrade Sourcetree for Windows to version 3.0.17 or higher.

Upgrade Sourcetree for macOS to version 3.1.1 or higher.

Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Sourcetree for macOS, see the release notes. For a full description of the latest version of Sourcetree for Windows, see the release notes. You can download the latest version of Sourcetree from the Sourcetree website.

Support

If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails.

If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.

References

Security Bugfix Policy

Our SLAs and guarantees for bugfixes.

Severity Levels for security issues

Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.

End of Life Policy

Our end of life policy varies for different products. Please refer to the policy for details.

Last modified on Mar 6, 2019

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.