Uploaded image for project: 'Sourcetree For Mac'
  1. Sourcetree For Mac
  2. SRCTREE-5243

Various argument and command injection issues in Sourcetree for macOS - CVE-2017-14592

    • Severity 1 - Critical

      Sourcetree for macOS had several argument and command injection bugs in Mercurial and Git repository handling. An attacker with permission to commit to a repository linked in Sourcetree for macOS is able to exploit this issue to gain code execution on the system. From version 1.4.0 of Sourcetree for macOS, this vulnerability can be triggered from a webpage through the use of the Sourcetree URI handler.

      Affected versions:

      • Versions of Sourcetree for macOS starting with 1.0b2 before version 2.7.0 are affected by this vulnerability.

      Fix:

      Acknowledgements
      Atlassian would like to credit Zhang Tianqi @ Tophant for reporting this issue to us.

      For additional details see the full advisory.

            [SRCTREE-5243] Various argument and command injection issues in Sourcetree for macOS - CVE-2017-14592

            CVSS v3 score: 9.6 => Critical severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required None
            User Interaction Required

            Scope Metric

            Scope Changed

            Impact Metrics

            Confidentiality High
            Integrity High
            Availability High

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

            David Black added a comment - CVSS v3 score: 9.6 => Critical severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction Required Scope Metric Scope Changed Impact Metrics Confidentiality High Integrity High Availability High https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

              Unassigned Unassigned
              dblack David Black
              Affected customers:
              0 This affects my team
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: