Uploaded image for project: 'Sourcetree For Mac'
  1. Sourcetree For Mac
  2. SRCTREE-5246

Git LFS: Arbitrary command execution in repositories with Git LFS enabled - CVE-2017-17831

    XMLWordPrintable

Details

    • Severity 1 - Critical

    Description

      The embedded version of Git LFS used in Sourcetree for macOS was vulnerable to CVE-2017-17831. An attacker can exploit this issue if they can commit to a git repository linked in Sourcetree for macOS by adding a .lfsconfig file containing a malicious lfs url, allowing them to execute arbitrary code on systems running a vulnerable version of Sourcetree for macOS. This vulnerability can also be triggered from a web page through the use of the Sourcetree URI handler.

      Affected versions:

      • Versions of Sourcetree for macOS starting with 2.1 before version 2.7.0 are affected by this vulnerability

      Fix:

      For additional details see the full advisory.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. SRCTREEWIN-8261 Git LFS: Arbitrary command execution in repositories with Git LFS enabled - CVE-2017-17831

          • Highest - Our top priority issues
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. SRCTREE-5243 Various argument and command injection issues in Sourcetree for macOS - CVE-2017-14592

          • Highest - Our top priority issues
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. SRCTREE-5244 Mercurial: arbitrary command execution in mercurial repositories with a git submodule - CVE-2017-17458

          • Highest - Our top priority issues
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. SRCTREEWIN-8256 Various argument and command injection issues - CVE-2017-14593

          • Highest - Our top priority issues
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. SRCTREEWIN-8257 Mercurial: arbitrary command execution in mercurial repositories with a git submodule - CVE-2017-17458

          • Highest - Our top priority issues
          • Closed

          SECENG-971 Loading...

          Activity

            People

              Unassigned Unassigned
              dblack David Black
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: