exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SourceTree Remote Command Injection

SourceTree Remote Command Injection
Posted Feb 1, 2018
Authored by Atlassian

Sourcetree for macOS versions 1.0b2 up to 2.7.0 and Sourcetree for Windows versions 0.5.1.0 up to 2.4.7.0 suffers from multiple command injection vulnerabilities.

tags | advisory, vulnerability
systems | windows
advisories | CVE-2017-14592, CVE-2017-14593, CVE-2017-17458, CVE-2017-17831
SHA-256 | d2c94b00ad0ef81396b3578120ab94bfa7b4948ed21552a912349549577784ea

SourceTree Remote Command Injection

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

This email refers to the advisory found at
https://confluence.atlassian.com/x/lIIyO.

CVE ID:

* CVE-2017-14592
* CVE-2017-14593
* CVE-2017-17458
* CVE-2017-17831


Product: Sourcetree

Affected Sourcetree product versions:

Sourcetree for macOS 1.0b2 <= version < 2.7.0
Sourcetree for Windows 0.5.1.0 <= version < 2.4.7.0


Fixed Sourcetree product versions:

* Versions of SourceTree for macOS, equal to and above 2.7.0 contain a fix for
this issue.
* Versions of SourceTree for Windows, equal to and above 2.4.7.0 contain a fix
for this issue.


Summary:
This advisory discloses critical severity security vulnerabilities.

Customers who have upgraded Sourcetree for macOS to version 2.7.0 are not
affected.

Customers who have upgraded Sourcetree for Windows to version 2.4.7.0 are not
affected.

Customers who have downloaded and installed Sourcetree for macOS starting with
1.0b2 before version 2.7.0

Customers who have downloaded and installed Sourcetree for Windows starting with
0.5.1.0 before version 2.4.7.0

Please upgrade your Sourcetree for macOS or Sourcetree for Windows installations
immediately to fix the vulnerabilities mentioned in this advisory.


Sourcetree for macOS - Various argument and command injection issues
(CVE-2017-14592)

Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT
environment.


Description:

Sourcetree for macOS had several argument and command injection bugs in
Mercurial and Git repository handling. An attacker with permission to commit to
a repository linked in Sourcetree for macOS is able to exploit this issue to
gain code execution on the system.
- From version 1.4.0 of Sourcetree for macOS, this vulnerability can
be triggered
from a webpage through the use of the Sourcetree URI handler.
Versions of Sourcetree for macOS starting with 1.0b2 before version 2.7.0 are
affected by this vulnerability.
This issue can be tracked at https://jira.atlassian.com/browse/SRCTREE-5243.

Acknowledgements:

Atlassian would like to credit ZhangTianqi @ Tophant for reporting this issue to
us.


Sourcetree for Windows - Various argument and command injection issues
(CVE-2017-14593)

Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate, or low.
This is an independent assessment and you should evaluate its applicability to
your own IT environment.

Description:

Sourcetree for Windows had several argument and command injection bugs in
Mercurial and Git repository handling. An attacker with permission to commit to
a repository linked in Sourcetree for Windows is able to exploit this issue to
gain code execution on the system. From version 0.8.4b of Sourcetree for
Windows, this vulnerability can be triggered from a webpage through the use of
the Sourcetree URI handler. Versions of Sourcetree for Windows starting with
0.5.1.0 before version 2.4.7.0 are affected by this vulnerability.
This issue can be tracked at https://jira.atlassian.com/browse/SRCTREEWIN-8256.

Acknowledgements:

Atlassian would like to credit ZhangTianqi @ Tophant for reporting this issue to
us.


Sourcetree for macOS and Windows - Mercurial: arbitrary command execution in
mercurial repositories with a git submodule (CVE-2017-17458)

Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate, or low.
This is an independent assessment and you should evaluate its applicability to
your own IT environment.

Description:

The embedded version of Mercurial used in Sourcetree for macOS and Sourcetree
for Windows was vulnerable to CVE-2017-17458. An attacker can exploit this issue
if they commit to a Mercurial repository linked in Sourcetree for macOS or
Sourcetree for Windows by adding a git subrepository specifying arbitrary code
in the form of a .git/hooks/post-update script. This allows the attacker to
execute arbitrary code on systems running a vulnerable version of Sourcetree for
macOS or Sourcetree for Windows. Sourcetree for macOS and Sourcetree for Windows
perform background indexing, which allows for this issue to be exploited without
a user needing to directly interact with the git subrepository. From version
1.4.0 of Sourcetree for macOS and 0.8.4b of Sourcetree for Windows, this
vulnerability can be triggered from a webpage through the use of the Sourcetree
URI handler.

Versions of Sourcetree for macOS starting with 1.0b2 before version 2.7.0 are
affected by this vulnerability. This issue can be tracked at
https://jira.atlassian.com/browse/SRCTREE-5244.

Versions of Sourcetree for Windows starting with 0.5.1.0 before version 2.4.7.0
are affected by this vulnerability. This issue can be tracked at
https://jira.atlassian.com/browse/SRCTREEWIN-8257.

Acknowledgements:

Atlassian would like to credit ZhangTianqi @ Tophant for reporting this issue to
us.


Sourcetree for macOS and Windows - Git LFS: Arbitrary command execution in
repositories with Git LFS enabled (CVE-2017-17831)

Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate, or low.
This is an independent assessment and you should evaluate its applicability to
your own IT environment.

Description:

The embedded version of Git LFS used in Sourcetree for macOS and Windows was
vulnerable to CVE-2017-17831. An attacker can exploit this issue if they can
commit to a git repository linked in Sourcetree for macOS or Sourcetree for
Windows by adding a .lfsconfig file containing a malicious lfs url. This allows
them to execute arbitrary code on systems running a vulnerable version of
Sourcetree for macOS or Sourcetree for Windows. This vulnerability can also be
triggered from a web page through the use of the Sourcetree URI handler.

Versions of Sourcetree for macOS starting with 2.1 before version 2.7.0 are
affected by this vulnerability. This issue can be tracked at
https://jira.atlassian.com/browse/SRCTREE-5246.

Versions of Sourcetree for Windows starting with 1.7.0 before version 2.4.7.0
are affected by this vulnerability. This issue can be tracked at
https://jira.atlassian.com/browse/SRCTREEWIN-8261.


Remediation:

Atlassian recommends that you upgrade to the latest version of Sourcetree:

* To version 2.7.0 or higher for macOS.
NOTE: Mac OSX 10.11 or later is requred for Sourcetree 2.5.0 or later.

* To version 2.4.7.0 or higher for Windows and manually uninstall any older
versions of Sourcetree. If you are using the embedded version of Git and or
Mercurial, then after updating Sourcetree you should update the embedded
version. To update the embedded version of Git select "Options" from the "Tools"
menu, then click on the Git tab and then click on the 'Update Embedded Git'
button. To update the embedded version of Mercurial select "Options" from the
"Tools" menu, then click on the Mercurial tab and then click on the 'Update
Embedded Mercurial' button. If you are using the system provided Git and or
Mercurial please ensure that you keep the system version up to date.

For a full description of the latest version of Sourcetree, see the release
notes for macOS and Windows. You can download the latest versions of Sourcetree
from the Sourcetree website (https://www.sourcetreeapp.com/).


Support:
Atlassian supports SourceTree through the Atlassian Community. If you
have questions or concerns regarding this advisory, go to
https://community.atlassian.com/t5/SourceTree/ct-p/sourcetree .
-----BEGIN PGP SIGNATURE-----

iQI0BAEBCgAeBQJacnTRFxxzZWN1cml0eUBhdGxhc3NpYW4uY29tAAoJECQgl6K8
UnagRVMP+wYbUmsqAjbFuK3vbZRcjwaoo/FknLQIWnEvaMNJZGF0T+g3u0tLISEP
DhHHbccmQETaLEK3Cb6XgCLrKP+bBXPywTb1eryP1hkLTf+kMwuD80cYKwHI3c2t
vP3eUiCsj6UKnnDJqY3Io3Bt+y/zO0Eh6llOmPK+uFgH9LHjVXLGRkgnFwbsMZq2
J1/Q8Z7SaOA7E6GTuVIMKuZ2phgvsMCPqEymmgWNH8CYFAjfnFDNwyYDnA2YWdzk
53uXj0OKcdZh47frRPdaEX+nB7T51fHXBSfRpePNFs8lfjMFXX+P96JK6sKXK4mo
rZ5hkokxPOFzlCZfRONxniVviQ2LnvbpfIire2JldJE8bksmleaQH4QfptfKA1/6
6ty0R0SKnxHalRyxTbf1YLxpjNyJbnYy9ljQ/hETdDGwqN+XDV2600bWsLoxO5Yi
sXBK5cvDWeXfcEyjpEBDpFlIZZIAJ1r2qZKSycJlQhhQrNRaKRm+ckQmjnhM6zaK
GecIcL12MeeGt5ktzWBLxGxA1848MnhuSonHkGAycQ5tPDnPJ4aeyfGn5oJa0Cgx
AAxj8t/1T5ww5iC2amGtCIpAFESyUdqS4ST0FFixs9zD+xxCXh1o/V1gq6y+ufcX
y76oHGRSID6agxF+cTXmYoa2OdC9By8nzsOc/Gd4xKz40hTDeTlk
=6DwX
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close