Uploaded image for project: 'Sourcetree For Mac'
  1. Sourcetree For Mac
  2. SRCTREE-5846

Argument injection via Mercurial repository filenames - CVE-2018-13385

    • Severity 1 - Critical

      There was an argument injection vulnerability in Sourcetree for macOS via filenames in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS is able to exploit this issue to gain code execution on the system.

      Affected versions:

      • Versions of Sourcetree for macOS from 1.0b2 before 2.7.6 are affected by this vulnerability.

      Fix:

      For additional details, see the full advisory.

          Form Name

            [SRCTREE-5846] Argument injection via Mercurial repository filenames - CVE-2018-13385

            This is an independent assessment and you should evaluate its applicability to your own IT environment.

            CVSS v3 score: 9.8 => Critical severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required None
            User Interaction None

            Scope Metric

            Scope Unchanged

            Impact Metrics

            Confidentiality High
            Integrity High
            Availability High

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

            David Black added a comment - This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 9.8 => Critical severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality High Integrity High Availability High https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

              ablack@atlassian.com AB
              ablack@atlassian.com AB
              Affected customers:
              0 This affects my team
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: