[SRCTREE-5246] Git LFS: Arbitrary command execution in repositories with Git LFS enabled - CVE-2017-17831 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 2.7
Affects Version/s: 2.1
Component/s: None
Labels:

Symptom Severity:
Severity 1 - Critical

The embedded version of Git LFS used in Sourcetree for macOS was vulnerable to CVE-2017-17831. An attacker can exploit this issue if they can commit to a git repository linked in Sourcetree for macOS by adding a .lfsconfig file containing a malicious lfs url, allowing them to execute arbitrary code on systems running a vulnerable version of Sourcetree for macOS. This vulnerability can also be triggered from a web page through the use of the Sourcetree URI handler.

Affected versions:

Versions of Sourcetree for macOS starting with 2.1 before version 2.7.0 are affected by this vulnerability

Fix:

Upgrade Sourcetree for macOS to version 2.7.0 or higher from https://www.sourcetreeapp.com/ .

For additional details see the full advisory.

is related to

SRCTREEWIN-8261 Git LFS: Arbitrary command execution in repositories with Git LFS enabled - CVE-2017-17831

Closed

relates to

SRCTREE-5243 Various argument and command injection issues in Sourcetree for macOS - CVE-2017-14592

Closed

SRCTREE-5244 Mercurial: arbitrary command execution in mercurial repositories with a git submodule - CVE-2017-17458

Closed

SRCTREEWIN-8256 Various argument and command injection issues - CVE-2017-14593

Closed

SRCTREEWIN-8257 Mercurial: arbitrary command execution in mercurial repositories with a git submodule - CVE-2017-17458

Closed

SECENG-971 Loading...

(1 relates to)

David Black made changes - 13/Nov/2019 11:47 PM

Labels

Original: CVE-2017-17831 advisory cvss-critical security

New: CVE-2017-17831 advisory advisory-released cvss-critical security

Monique Khairuliana (Inactive) made changes - 30/Sep/2019 4:13 AM

Workflow

Original: JAC Bug Workflow v3 [ 3372205 ]

New: SRCTREE JAC Bug Workflow [ 3737774 ]

Monique Khairuliana (Inactive) made changes - 16/Aug/2019 1:01 AM

Workflow

Original: SourceTree Bug Workflow [ 2494868 ]

New: JAC Bug Workflow v3 [ 3372205 ]

Security Metrics Bot made changes - 24/Jan/2018 5:52 PM

Security

Original: Reporter and Atlassian Staff [ 10751 ]

David Black made changes - 09/Jan/2018 1:23 AM

Description

Original: The embedded version of [Git LFS|https://git-lfs.github.com] used in Sourcetree for macOS was vulnerable to CVE-2017-17831. An attacker can exploit this issue if they can commit to a git repository linked in Sourcetree for macOS by adding a .lfsconfig file containing a malicious lfs url, allowing them to execute arbitrary code on systems a running a vulnerable version of Sourcetree for macOS. This vulnerability can also be triggered from a web page through the use of the Sourcetree URI handler.

*Affected versions:*
* Versions of Sourcetree for macOS starting with 2.1 before version 2.7.0 are affected by this vulnerability

*Fix:*
* Upgrade Sourcetree for macOS to version 2.7.0 or higher from https://www.sourcetreeapp.com/ .

For additional details see the [full advisory|https://confluence.atlassian.com/x/lIIyO].

New: The embedded version of [Git LFS|https://git-lfs.github.com] used in Sourcetree for macOS was vulnerable to CVE-2017-17831. An attacker can exploit this issue if they can commit to a git repository linked in Sourcetree for macOS by adding a .lfsconfig file containing a malicious lfs url, allowing them to execute arbitrary code on systems running a vulnerable version of Sourcetree for macOS. This vulnerability can also be triggered from a web page through the use of the Sourcetree URI handler.

*Affected versions:*
* Versions of Sourcetree for macOS starting with 2.1 before version 2.7.0 are affected by this vulnerability

*Fix:*
* Upgrade Sourcetree for macOS to version 2.7.0 or higher from https://www.sourcetreeapp.com/ .

For additional details see the [full advisory|https://confluence.atlassian.com/x/lIIyO].

David Black made changes - 03/Jan/2018 4:37 AM

Remote Link

New: This issue links to "SECENG-971 (Security JIRA (CYBER/J))" [ 342142 ]

David Black made changes - 21/Dec/2017 11:21 PM

Description

New: The embedded version of [Git LFS|https://git-lfs.github.com] used in Sourcetree for macOS was vulnerable to CVE-2017-17831. An attacker can exploit this issue if they can commit to a git repository linked in Sourcetree for macOS by adding a .lfsconfig file containing a malicious lfs url, allowing them to execute arbitrary code on systems a running a vulnerable version of Sourcetree for macOS. This vulnerability can also be triggered from a web page through the use of the Sourcetree URI handler.

*Affected versions:*
* Versions of Sourcetree for macOS starting with 2.1 before version 2.7.0 are affected by this vulnerability

*Fix:*
* Upgrade Sourcetree for macOS to version 2.7.0 or higher from https://www.sourcetreeapp.com/ .

For additional details see the [full advisory|https://confluence.atlassian.com/x/lIIyO].

David Black made changes - 21/Dec/2017 11:17 PM

Link

New: This issue is related to ~~SRCTREEWIN-8261~~ [ ~~SRCTREEWIN-8261~~ ]

David Black made changes - 21/Dec/2017 11:17 PM

Link

Original: This issue was cloned as ~~SRCTREEWIN-8261~~ [ ~~SRCTREEWIN-8261~~ ]

David Black made changes - 21/Dec/2017 11:17 PM

Labels

Original: advisory cvss-critical security

New: CVE-2017-17831 advisory cvss-critical security

Assignee:: Unassigned

Reporter:: David Black

Affected customers:: 0 This affects my team

Watchers:: 1 Start watching this issue

Created:: 21/Dec/2017 5:04 AM

Updated:: 13/Nov/2019 11:47 PM

Resolved:: 21/Dec/2017 5:06 AM

Sourcetree For Mac

Details

Description

Attachments

Issue Links

Forms

Activity

[SRCTREE-5246] Git LFS: Arbitrary command execution in repositories with Git LFS enabled - CVE-2017-17831

People

Dates