exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Atlassian SourceTree 2.5c Command Execution

Atlassian SourceTree 2.5c Command Execution
Posted May 22, 2017
Authored by Yu Hong

Atlassian SourceTree versions 2.5c and below suffer from a command injection vulnerability. This advisory gives a ridiculously small amount of information regarding the issue itself.

tags | advisory
advisories | CVE-2017-8768
SHA-256 | e2a767420fa68c4a02c5ef67ce359c7a39caef6bd52157da4e47059779e79f74

Atlassian SourceTree 2.5c Command Execution

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

This email refers to the advisory found at
https://confluence.atlassian.com/x/jW2xNQ .


CVE ID:

* CVE-2017-8768.

Product: SourceTree.

Affected SourceTree product versions:

* SourceTree for Mac 1.4.0 <= version < 2.5.1
* SourceTree for Windows 0.8.4b <= version < 2.0.20.1


Fixed SourceTree product versions:

* Versions of SourceTree for Mac equal to and above 2.5.1 contain a
fix for this issue.
* Versions of SourceTree for Windows equal to and above 2.0.20.1
contain a fix for this issue.

Summary:
This advisory discloses a critical security vulnerability in versions
of SourceTree for Mac starting with 1.4.0 but before 2.5.1 and
SourceTree for Windows starting with 0.8.4b but before 2.0.20.1.

Customers who have upgraded SourceTree for Mac to version 2.5.1 are
not affected.

Customers who have upgraded SourceTree for Windows to version 2.0.20.1
are not affected.

Customers who have downloaded and installed SourceTree for Mac
starting with 1.4.0 but before 2.5.1 (the fixed version for 2.5.x) or
who have downloaded and installed SourceTree for Windows starting with
0.8.4b but before 2.0.20.1 (the fixed version for 2.0.x) please
upgrade SourceTree to the latest version to fix this vulnerability.
Command Injection - CVE-2017-8768:

Severity:
Atlassian rates the severity level of this vulnerability as critical,
according to the scale published in our Atlassian severity levels. The
scale allows us to rank the severity as critical, high, moderate or
low.
This is our assessment and you should evaluate its applicability to
your own IT environment.


Description:

SourceTree for Mac and Windows are affected by a command injection
vulnerability in URI handling. The vulnerability can be triggered
through a browser or the SourceTree interface.
Versions of SourceTree for Mac starting with 1.4.0 but before 2.5.1
and versions of SourceTree for Windows starting with 0.8.4b but before
2.0.20.1 are affected by this vulnerability. The issue for SourceTree
for Mac can found at https://jira.atlassian.com/browse/SRCTREE-4738
and for SourceTree for Windows at
https://jira.atlassian.com/browse/SRCTREEWIN-7161 .

Remediation:

Upgrade SourceTree for Mac to version 2.5.1 or higher. Please note
that since SourceTree for Mac 2.5.0 Mac OSX 10.11 or later is
required.
Upgrade SourceTree for Windows to version 2.0.20.1 or higher.

For a full description of the latest version of SourceTree, see the
release notes for Mac
(https://www.sourcetreeapp.com/update/releasenotes/2.5.1.html) and for
Windows (https://www.sourcetreeapp.com/update/windows/ga/ReleaseNotes_2.0.20.1.html).
You can download the latest version of SourceTree from
https://www.sourcetreeapp.com/.


Acknowledgements:
Atlassian would like to credit Yu Hong for reporting this issue to us.


Support:
If you have questions or concerns regarding this advisory, please
raise a support request at https://support.atlassian.com/.
-----BEGIN PGP SIGNATURE-----

iQI0BAEBCgAeBQJZIjG8FxxzZWN1cml0eUBhdGxhc3NpYW4uY29tAAoJECQgl6K8
UnagzUMP/3XEe8+JeEWgMl4WIeIrVju3cVtZpCLA2Jbo0t+3JEsU48D+hagzWLD4
5yWlqbZWYyFW3UG4IIxfx14uzUm/0acXJGCdp6c9LhppG+AtXdm631NOgzlq756x
Hp2XEdf2WCyHXd7X3xzRTkd9INbY6fCERox9hBiygc13re5lZpuX70rkiH4rCOL0
k5yrB4O4MyqyZ277j2wx5I1bbFmkaPAFUZq/H3Uz72/UnZiIPTx7NqtCu54MXdhN
P4KoPf5bkD+OlRj1sblFiK6DeYif+kVKTgbmBoAHNrg85f/V9tGUF0a+/86Xx/CY
EJBTJs15FcDzC71uePPwocSRuqMPytSZ/eJZtazE5BnreBE4YVjsGiN3h6g5aJ9w
gfoGNAzzPX38E2vbJkXoqSsMbxplOlTbR95HSvIrjcTVU0pntoJ0HAmPGoDkV99T
+gFqQpii1X4j8s6L6sKNC/wW3SWlySSDOrgl808jf2GY4M7lyF8pEj/Z7PRit548
Y7o/w3YYXWrc+6cZPmc0swatgx2fSjevc+FFdUFcPxvXJFSF96kvrnolQ+8Iwx7o
653//P/BkS59TTm7/C6svMI///GPEVHCAQ9XtD9hvupbtyO2h80M6x2FjStZh9Di
F7FbG9uhc1ErReBpQZ9Cw6NDkIbT21trGw4eANEWvfULOrD1o/Tu
=+LUZ
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close