Uploaded image for project: 'Sourcetree For Mac'
  1. Sourcetree For Mac
  2. SRCTREE-5244

Mercurial: arbitrary command execution in mercurial repositories with a git submodule - CVE-2017-17458

XMLWordPrintable

    • Severity 1 - Critical

      The embedded version of Mercurial used in Sourcetree for macOS was vulnerable to CVE-2017-17458. An attacker can exploit this issue if they can commit to a Mercurial repository linked in Sourcetree for macOS by adding a git subrepository specifying arbitrary code in the form of a .git/hooks/post-update script, allowing the attacker to execute arbitrary code on systems running a vulnerable version of Sourcetree for macOS.
      Sourcetree for macOS performs background indexing which allows for this issue to be exploited without a user needing to directly interact with the git subrepository. From version 1.4.0 of Sourcetree for macOS, this vulnerability can be triggered from a webpage through the use of the Sourcetree URI handler.

      Affected versions:

      • Versions of Sourcetree for macOS starting with 1.0b2 before version 2.7.0 are affected by this vulnerability

      Fix:

      Acknowledgements
      Atlassian would like to credit Zhang Tianqi @ Tophant for reporting this issue to us.

      For additional details see the full advisory.

            [SRCTREE-5244] Mercurial: arbitrary command execution in mercurial repositories with a git submodule - CVE-2017-17458

            David Black made changes -
            Labels Original: CVE-2017-17458 advisory cvss-critical security New: CVE-2017-17458 advisory advisory-released cvss-critical security
            Monique Khairuliana (Inactive) made changes -
            Workflow Original: JAC Bug Workflow v3 [ 3371266 ] New: SRCTREE JAC Bug Workflow [ 3737629 ]
            Monique Khairuliana (Inactive) made changes -
            Workflow Original: SourceTree Bug Workflow [ 2494865 ] New: JAC Bug Workflow v3 [ 3371266 ]
            David Black made changes -
            Description Original: The embedded version of Mercurial used in Sourcetree for macOS was vulnerable to CVE-2017-17458. An attacker can exploit this issue if they can commit to a Mercurial repository linked in Sourcetree for macOS by adding a git subrepository specifying arbitrary code in the form of a .git/hooks/post-update script, allowing the attacker to execute arbitrary code on systems running a vulnerable version of Sourcetree for macOS.
            Sourcetree for macOS performs background indexing which allows for this issue to be exploited without a user needing to directly interact with the git subrepository. From version 1.4.0 of Sourcetree for macOS, this vulnerability can be triggered from a webpage through the use of the Sourcetree URI handler.


            *Affected versions:*
            * Versions of Sourcetree for macOS starting with 1.0b2 before version 2.7.0 are affected by this vulnerability


            *Fix:*
            * Upgrade Sourcetree for macOS to version 2.7.0 or higher from https://www.sourcetreeapp.com/ .


            *Acknowledgements*
            Atlassian would like to credit ZhangTianqi @ Tophant for reporting this issue to us.

            For additional details see the [full advisory|https://confluence.atlassian.com/x/lIIyO].             		New: The embedded version of Mercurial used in Sourcetree for macOS was vulnerable to CVE-2017-17458. An attacker can exploit this issue if they can commit to a Mercurial repository linked in Sourcetree for macOS by adding a git subrepository specifying arbitrary code in the form of a .git/hooks/post-update script, allowing the attacker to execute arbitrary code on systems running a vulnerable version of Sourcetree for macOS.
             Sourcetree for macOS performs background indexing which allows for this issue to be exploited without a user needing to directly interact with the git subrepository. From version 1.4.0 of Sourcetree for macOS, this vulnerability can be triggered from a webpage through the use of the Sourcetree URI handler.

            *Affected versions:*
             * Versions of Sourcetree for macOS starting with 1.0b2 before version 2.7.0 are affected by this vulnerability

            *Fix:*
             * Upgrade Sourcetree for macOS to version 2.7.0 or higher from [https://www.sourcetreeapp.com/] .

            *Acknowledgements*
             Atlassian would like to credit Zhang Tianqi @ Tophant for reporting this issue to us.

            For additional details see the [full advisory|https://confluence.atlassian.com/x/lIIyO].
            Security Metrics Bot made changes -
            Security Original: Reporter and Atlassian Staff [ 10751 ]
            David Black made changes -
            Description Original: The embedded version of Mercurial used in Sourcetree for macOS was vulnerable to CVE-2017-17458. An attacker can exploit this issue if they can commit to a Mercurial repository linked in Sourcetree for macOS by adding a git subrepository specifying arbitrary code in the form of a .git/hooks/post-update script, allowing the attacker to execute arbitrary code on systems running a vulnerable version of Sourcetree for macOS.
            Sourcetree for macOS performs background indexing which allows for this issue to be exploited without a user needing to directly interact with the git subrepository. From version 1.4.0 of Sourcetree for macOS, this vulnerability can be triggered from a webpage through the use of the Sourcetree URI handler.


            *Affected versions:*
            * Versions of Sourcetree for macOS starting with 1.0b2 before version 2.7.0 are affected by this vulnerability


            *Fix:*
            * Upgrade Sourcetree for macOS to version 2.7.0 or higher from https://www.sourcetreeapp.com/ .


            *Acknowledgements*
            Atlassian would like to credit ZhangTianqi @ Tophant for reporting this issue to us.

            For additional details see the full advisory.             		New: The embedded version of Mercurial used in Sourcetree for macOS was vulnerable to CVE-2017-17458. An attacker can exploit this issue if they can commit to a Mercurial repository linked in Sourcetree for macOS by adding a git subrepository specifying arbitrary code in the form of a .git/hooks/post-update script, allowing the attacker to execute arbitrary code on systems running a vulnerable version of Sourcetree for macOS.
            Sourcetree for macOS performs background indexing which allows for this issue to be exploited without a user needing to directly interact with the git subrepository. From version 1.4.0 of Sourcetree for macOS, this vulnerability can be triggered from a webpage through the use of the Sourcetree URI handler.


            *Affected versions:*
            * Versions of Sourcetree for macOS starting with 1.0b2 before version 2.7.0 are affected by this vulnerability


            *Fix:*
            * Upgrade Sourcetree for macOS to version 2.7.0 or higher from https://www.sourcetreeapp.com/ .


            *Acknowledgements*
            Atlassian would like to credit ZhangTianqi @ Tophant for reporting this issue to us.

            For additional details see the [full advisory|https://confluence.atlassian.com/x/lIIyO].
            David Black made changes -
            Link New: This issue is related to SRCTREE-5247 [ SRCTREE-5247 ]
            David Black made changes -
            Link New: This issue is related to SRCTREE-5246 [ SRCTREE-5246 ]
            David Black made changes -
            Link New: This issue is related to SRCTREEWIN-8257 [ SRCTREEWIN-8257 ]
            David Black made changes -
            Link Original: This issue was cloned as SRCTREEWIN-8257 [ SRCTREEWIN-8257 ]

              Unassigned Unassigned
              dblack David Black
              Affected customers:
              0 This affects my team
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: