[SRCTREE-4481] Shell Injection in SourceTree for Mac

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 2.3.1, 2.3.2
Affects Version/s: 1.9.8, 2.2.4
Component/s: General
Labels:

Symptom Severity:
Severity 2 - Major

SourceTree for Mac had a shell injection vulnerability starting with 1.9.8 prior to 2.3.1 (the fixed version). By visiting a malicious website or by convincing a user to click a sourcetree:// URL with a vulnerable version of SourceTree for Mac installed an attacker could use a shell injection vulnerability to execute arbitrary commands on a victims machine.

Affected versions:

All versions of SourceTree for Mac from 1.9.8 before 2.3.1 (the fixed version) are affected by this vulnerability.

Fix:

SourceTree for Mac version 2.3.2 is available for download from https://www.sourcetreeapp.com/?v=mac.

Acknowledgements:

We would like to credit Matthew Diaz of NCC Group Security Advisory for reporting this issue to us.

Monique Khairuliana (Inactive) made changes - 30/Sep/2019 4:13 AM

Workflow

Original: JAC Bug Workflow v3 [ 3370346 ]

New: SRCTREE JAC Bug Workflow [ 3737221 ]

Monique Khairuliana (Inactive) made changes - 16/Aug/2019 1:00 AM

Workflow

Original: SourceTree Bug Workflow [ 1638177 ]

New: JAC Bug Workflow v3 [ 3370346 ]

Brian Ganninger (Inactive) made changes - 14/Jan/2019 8:25 PM

Component/s

Original: Mac [ 42101 ]

David Black made changes - 05/Sep/2017 5:16 AM

Labels

Original: advisory security

New: advisory advisory-released cvss-critical security

David Black made changes - 20/Feb/2017 9:52 PM

Security

Original: Reporter and Atlassian Staff [ 10751 ]

David Black made changes - 17/Jan/2017 5:05 AM

Fix Version/s

New: 2.3.2 [ 64350 ]

David Black made changes - 17/Jan/2017 5:05 AM

Description

Original: SourceTree for Mac had a shell injection vulnerability starting with 1.9.8 prior to 2.3.1 (the fixed version). By visiting a malicious website or by convincing a user to click a sourcetree:// URL with a vulnerable version of SourceTree for Mac installed an attacker could use a shell injection vulnerability to execute arbitrary commands on a victims machine.

*Affected versions:*
* All versions of SourceTree for Mac from 1.9.8 before 2.3.1 (the fixed version) are affected by this vulnerability.

h4. *Fix:*
* *SourceTree for Mac version 2.4 is available for download from [https://www.sourcetreeapp.com/?v=mac.|https://www.sourcetreeapp.com/?v=mac]*

*Acknowledgements:*

We would like to credit *Matthew Diaz* of NCC Group Security Advisory for reporting this issue to us.

New: SourceTree for Mac had a shell injection vulnerability starting with 1.9.8 prior to 2.3.1 (the fixed version). By visiting a malicious website or by convincing a user to click a sourcetree:// URL with a vulnerable version of SourceTree for Mac installed an attacker could use a shell injection vulnerability to execute arbitrary commands on a victims machine.

*Affected versions:*
* All versions of SourceTree for Mac from 1.9.8 before 2.3.1 (the fixed version) are affected by this vulnerability.

h4. *Fix:*
* *SourceTree for Mac version 2.3.2 is available for download from [https://www.sourcetreeapp.com/?v=mac.|https://www.sourcetreeapp.com/?v=mac]*

*Acknowledgements:*

We would like to credit *Matthew Diaz* of NCC Group Security Advisory for reporting this issue to us.

David Black made changes - 17/Jan/2017 5:01 AM

Description

Original: SourceTree for Mac had a shell injection vulnerability starting with 1.9.8 prior to 2.3.1 (the fixed version). By visiting a malicious website or by convincing a user to click a sourcetree:// URL with a vulnerable version of SourceTree for Mac installed an attacker could use a shell injection vulnerability to execute arbitrary commands on a victims machine.

*Affected versions:*
* All versions of SourceTree for Mac from 1.9.8 before 2.3.1 (the fixed version) are affected by this vulnerability.

h4. *Fix:*
* *SourceTree for Mac version 2.3.1 is available for download from [https://www.sourcetreeapp.com/?v=mac.|https://www.sourcetreeapp.com/?v=mac]*

*Acknowledgements:*

We would like to credit *Matthew Diaz* of NCC Group Security Advisory for reporting this issue to us.

New: SourceTree for Mac had a shell injection vulnerability starting with 1.9.8 prior to 2.3.1 (the fixed version). By visiting a malicious website or by convincing a user to click a sourcetree:// URL with a vulnerable version of SourceTree for Mac installed an attacker could use a shell injection vulnerability to execute arbitrary commands on a victims machine.

*Affected versions:*
* All versions of SourceTree for Mac from 1.9.8 before 2.3.1 (the fixed version) are affected by this vulnerability.

h4. *Fix:*
* *SourceTree for Mac version 2.4 is available for download from [https://www.sourcetreeapp.com/?v=mac.|https://www.sourcetreeapp.com/?v=mac]*

*Acknowledgements:*

We would like to credit *Matthew Diaz* of NCC Group Security Advisory for reporting this issue to us.

David Black made changes - 17/Jan/2017 4:59 AM

Link

New: This issue relates to SRCTREE-4133 [ SRCTREE-4133 ]

David Black made changes - 17/Jan/2017 4:50 AM

Summary

Original: Shell Injection in SourceTree

New: Shell Injection in SourceTree for Mac

Assignee:: Unassigned

Reporter:: David Black

Affected customers:: 0 This affects my team

Watchers:: 1 Start watching this issue

Created:: 17/Jan/2017 4:45 AM

Updated:: 14/Jan/2019 8:25 PM

Resolved:: 17/Jan/2017 4:47 AM

Sourcetree For Mac

Details

Description

Fix:

Attachments

Forms

Activity

People

Dates