Twenty Year Anniversary

SourceTree Remote Code Execution

SourceTree Remote Code Execution
Posted Sep 7, 2017
Authored by David Black | Site atlassian.com

SourceTree suffers from multiple remote code execution vulnerabilities that can be triggered via hostile repositories being checked in. SourceTree for macOS versions prior to 2.6.1 and SourceTree for Windows versions prior to 2.1.10 are affected.

tags | advisory, remote, vulnerability, code execution
systems | windows
advisories | CVE-2017-1000115, CVE-2017-1000116, CVE-2017-1000117, CVE-2017-9800
MD5 | 52976d1b81c96e47418d943393c31c13

SourceTree Remote Code Execution

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

This email refers to the advisory found at
https://confluence.atlassian.com/x/c-mdNw .


CVE ID:

* CVE-2017-1000117 - Git.
* CVE-2017-1000115 - Mercurial.
* CVE-2017-1000116 - Mercurial.
* CVE-2017-9800 - Subversion.


Product: SourceTree.

Affected SourceTree product versions:

* SourceTree for macOS 1.0b2 <= version < 2.6.1
* SourceTree for Windows 0.5.1.0 <= version < 2.1.10


Fixed SourceTree product versions:

* Versions of SourceTree for macOS, equal to and above 2.6.1 contain a
fix for this issue.
* Versions of SourceTree for Windows, equal to and above 2.1.10
contain a fix for this issue.


Summary:
This advisory discloses critical severity security vulnerabilities
which affect SourceTree for macOS and SourceTree for Windows. Versions
of SourceTree for macOS starting with 1.0b2 before version 2.6.1 and
versions of SourceTree for Windows starting with 0.5.1.0 before
version 2.1.10 are affected by this vulnerability.


Customers who have upgraded SourceTree for macOS to version 2.6.1 are
not affected.
Customers who have upgraded SourceTree for Windows to version 2.1.10
are not affected.

Customers who have downloaded and installed SourceTree for macOS
starting with 1.0b2 before version 2.6.1 or who have downloaded and
installed SourceTree for Windows starting with 0.5.1.0 before version
2.1.10 please upgrade your SourceTree for macOS or SourceTree for
Windows installations immediately to fix the vulnerabilities mentioned
in this advisory.

SourceTree for macOS and Windows - Remote Code Execution via Git and
Mercurial - Multiple CVEs

Severity:
Atlassian rates the severity level of this vulnerability as critical,
according to the scale published in our Atlassian severity levels. The
scale allows us to rank the severity as critical, high, moderate or
low.
This is our assessment and you should evaluate its applicability to
your own IT environment.


Description:

SourceTree for macOS and Windows are affected by vulnerabilities found
in the Git and Mercurial software. This vulnerability can be triggered
through a malicious repository when it is checked out using
SourceTree. From version 1.4.0 of SourceTree for macOS and 0.8.4b of
SourceTree for Windows, this vulnerability can be triggered from a
webpage through the use of the SourceTree URI handler.
Versions of SourceTree for macOS starting with 1.0b2 before version
2.6.1 and versions of SourceTree for Windows starting with 0.5.1.0
before version 2.1.10 are affected by this vulnerability. This issue
can be tracked at: https://jira.atlassian.com/browse/SRCTREE-4904 and
for Windows at https://jira.atlassian.com/browse/SRCTREEWIN-7663.


Remediation:

Upgrade SourceTree for macOS to version 2.6.1 or higher. Please note
that since SourceTree for Mac 2.5.0 OSX 10.11 or later is required.
Upgrade SourceTree for Windows to version 2.1.10 or higher.

You can download the latest version of SourceTree from
https://www.sourcetreeapp.com/ .


Support:
Atlassian supports SourceTree through the Atlassian Community. If you
have questions or concerns regarding this advisory, go to
https://community.atlassian.com/t5/SourceTree/ct-p/sourcetree .
-----BEGIN PGP SIGNATURE-----

iQI0BAEBCgAeBQJZr1kdFxxzZWN1cml0eUBhdGxhc3NpYW4uY29tAAoJECQgl6K8
Unag+WgP/3IIGyB+oShEgGGmRaSUsT9bA2Vqis/0i9nr/I//f5XACt897M+THELj
2S+ZD9RiALjkCD5Hq2wvTvs42KWt34+ImKQutI8FqnMf96cIszPhuhwurd7NdcX8
hhfZbVx1RZra7wKK2FbyC64VlxlYKHcNOvpTyDHAuki5bhBFkwLI0hf8vXWNPYZg
w6i6EzLC+QQNoEO5qb+NURuAImWt2tGQWsskLMbwlJIdrqsqQ3TrjUvKAgvRfkUn
1H8cCDArA1HpQKz6peI32NeuvC2WcI3Zc7sKP7qDW/pNRk0iIDkRlJ8AlRMEu/LD
DgpJVhpVmDkdWHCy4SRN9Was3mRnaL9uZxsY6GUH2wi8Nt4/3JKJKsbG+MhmY762
B/NLuUA78mqDos6I0KxCjluhPOeFKv8W/BGkexLEjAoV2c348Fy5+X1S4vdoGlq+
+z7zyCUf3fsi6iz/Nt1C3vY/q76m1hL1VI5HX3btizwLOenUof6RDt6jTBzaA+zS
xt6YpwB1K+P2Lv32ChGFjAtAUljqoIqWK6brJljxHM5ey24hnovYYBJq8DI/xKPr
6EDGLAseEHldKy+8nAJ4BHgDWYco5jx0++GaHzLQTW/1VLn3uAXDK4MGJPcsLYQ6
WIlV192qlMUMPk53X3kAYNQG7t2EevWKn960hR8s/bwCm3Pvuvbi
=l639
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

June 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    14 Files
  • 2
    Jun 2nd
    1 Files
  • 3
    Jun 3rd
    3 Files
  • 4
    Jun 4th
    18 Files
  • 5
    Jun 5th
    21 Files
  • 6
    Jun 6th
    8 Files
  • 7
    Jun 7th
    16 Files
  • 8
    Jun 8th
    18 Files
  • 9
    Jun 9th
    5 Files
  • 10
    Jun 10th
    2 Files
  • 11
    Jun 11th
    21 Files
  • 12
    Jun 12th
    32 Files
  • 13
    Jun 13th
    15 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    4 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    2 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    15 Files
  • 21
    Jun 21st
    15 Files
  • 22
    Jun 22nd
    7 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close