SourceTree Security Advisory 2017-05-10
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
SourceTree - Command Injection - CVE-2017-8768
Note: As of September 2014 we are no longer issuing binary bug patches, instead we create new maintenance releases for the major versions we are backporting.
| Summary | CVE-2017-8768 - Command Injection |
|---|---|
| Advisory Release Date | 10:00 AM PDT (Pacific Time, -7 hours) |
| Products |
|
Affected SourceTree Versions |
|
Fixed SourceTree Versions |
|
| CVE ID(s) |
|
Summary of Vulnerability
This advisory discloses a critical security vulnerability in versions of SourceTree for Mac starting with 1.4.0 but before 2.5.1 and SourceTree for Windows starting with 0.8.4b but before 2.0.20.1.
Customers who have upgraded SourceTree for Mac to version 2.5.1 are not affected.
Customers who have upgraded SourceTree for Windows to version 2.0.20.1 are not affected.
Customers who have downloaded and installed SourceTree for Mac starting with 1.4.0 but before 2.5.1 (the fixed version for 2.5.x)
Customers who have downloaded and installed SourceTree for Windows starting with 0.8.4b but before 2.0.20.1 (the fixed version for 2.0.x)
Please upgrade SourceTree to the latest version to fix this vulnerability.
Command Injection (CVE-2017-8768)
Severity
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT environment.
Description
SourceTree for Mac and Windows are affected by a command injection vulnerability in URI handling. The vulnerability can be triggered through a browser or the SourceTree interface.
Versions of SourceTree for Mac starting with 1.4.0 but before 2.5.1 are affected by this vulnerability. This issue can be tracked here.
Versions of SourceTree for Windows starting with 0.8.4b but before 2.0.20.1 are affected by this vulnerability. This issue can be tracked here.
What You Need to Do
Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of SourceTree, see the release notes for Mac and Windows. You can download the latest versions of SourceTree from the SourceTree website.
Upgrade SourceTree for Mac to version 2.5.1 or higher. Please note that since SourceTree for Mac 2.5.0 Mac OSX 10.11 or later is required.
Upgrade SourceTree for Windows to version 2.0.20.1 or higher and manually uninstall any older versions of SourceTree for Windows.
Support
If you did not receive an email for this advisory and wish to receive such emails in the future, please go to https://my.atlassian.com/email and subscribe to "Product information & updates" for SourceTree. To receive advisories for our other products, please go to https://my.atlassian.com/email and subscribe to relevant alerts.
If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.
Acknowledgments
Atlassian would like to credit Yu Hong for reporting this issue to us.
References
| Severity Levels for security issues | Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org. |