[SRCTREE-8168] RCE (Remote Code Execution) in Sourcetree for Mac and Sourcetree for Windows

Type: Public Security Vulnerability
Resolution: Fixed
Priority: High
Fix Version/s: 4.2.9, 3.4.20
Affects Version/s: 4.2.8, 3.4.19
Component/s: None
Labels:

CVSS Score:
8.8
CVSS Severity:
High
CVE ID:
CVE-2024-21697
Vulnerability Source:
Penetration Testing
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Vulnerability Classes:

RCE (Remote Code Execution), Security Misconfiguration
Affected Product(s):

Sourcetree for Mac, Sourcetree for Windows

This High severity RCE (Remote Code Execution) vulnerability was introduced in versions 4.2.8 of Sourcetree for Mac and 3.4.19 for Sourcetree for Windows.

This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.8, allows an unauthenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction.

Atlassian recommends that Sourcetree for Mac and Sourcetree for Windows customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:

Sourcetree for Mac 4.2: Upgrade to a release greater than or equal to 4.2.9
Sourcetree for Windows 3.4: Upgrade to a release greater than or equal to 3.4.20

See the release notes (https://www.sourcetreeapp.com/download-archives). You can download the latest version of Sourcetree for Mac and Sourcetree for Windows from the download center (https://www.sourcetreeapp.com/download-archives).

This vulnerability was reported via our Penetration Testing program.

Security Metrics Bot made changes - 19/Nov/2024 10:28 PM

Vulnerability Classes

Original: RCE (Remote Code Execution) [ 18143 ]

New: Security Misconfiguration,RCE (Remote Code Execution) [ 18148, 18143 ]

prodsec-jac-bot made changes - 19/Nov/2024 6:00 PM

Resolution		New: Fixed [ 1 ]
Security	Original: Atlassian Staff [ 10750 ]
Status	Original: Draft [ 12872 ]	New: Published [ 12873 ]

Zachary Echouafni made changes - 19/Nov/2024 1:58 PM

Description

Original: This High severity RCE (Remote Code Execution) vulnerability was introduced in versions 4.2.8 of Sourcetree for Mac and 3.4.19for Sourcetree for Windows.

This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.8, allows an unauthenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction.

Atlassian recommends that Sourcetree for Mac and Sourcetree for Windows customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
* Sourcetree for Mac 4.2: Upgrade to a release greater than or equal to 4.2.9
* Sourcetree for Windows 3.4: Upgrade to a release greater than or equal to 3.4.20

See the release notes ([https://www.sourcetreeapp.com/download-archives]). You can download the latest version of Sourcetree for Mac and Sourcetree for Windows from the download center ([https://www.sourcetreeapp.com/download-archives]).

This vulnerability was reported via our Penetration Testing program.

New: This High severity RCE (Remote Code Execution) vulnerability was introduced in versions 4.2.8 of Sourcetree for Mac and 3.4.19 for Sourcetree for Windows.

This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.8, allows an unauthenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction.

Atlassian recommends that Sourcetree for Mac and Sourcetree for Windows customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
* Sourcetree for Mac 4.2: Upgrade to a release greater than or equal to 4.2.9
* Sourcetree for Windows 3.4: Upgrade to a release greater than or equal to 3.4.20

See the release notes ([https://www.sourcetreeapp.com/download-archives]). You can download the latest version of Sourcetree for Mac and Sourcetree for Windows from the download center ([https://www.sourcetreeapp.com/download-archives]).

This vulnerability was reported via our Penetration Testing program.

Zachary Echouafni made changes - 19/Nov/2024 1:58 PM

Description

Original: This High severity RCE (Remote Code Execution) vulnerability was introduced in versions 3.4.19 and 4.2.8 of Sourcetree for Mac and Sourcetree for Windows.

This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.8, allows an unauthenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction.

Atlassian recommends that Sourcetree for Mac and Sourcetree for Windows customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:

* Sourcetree for Mac and Sourcetree for Windows 3.4: Upgrade to a release greater than or equal to 3.4.20

See the release notes (https://www.sourcetreeapp.com/download-archives). You can download the latest version of Sourcetree for Mac and Sourcetree for Windows from the download center (https://www.sourcetreeapp.com/download-archives).

This vulnerability was reported via our Penetration Testing program.

New: This High severity RCE (Remote Code Execution) vulnerability was introduced in versions 4.2.8 of Sourcetree for Mac and 3.4.19for Sourcetree for Windows.

This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.8, allows an unauthenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction.

Atlassian recommends that Sourcetree for Mac and Sourcetree for Windows customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
* Sourcetree for Mac 4.2: Upgrade to a release greater than or equal to 4.2.9
* Sourcetree for Windows 3.4: Upgrade to a release greater than or equal to 3.4.20

See the release notes ([https://www.sourcetreeapp.com/download-archives]). You can download the latest version of Sourcetree for Mac and Sourcetree for Windows from the download center ([https://www.sourcetreeapp.com/download-archives]).

This vulnerability was reported via our Penetration Testing program.

Marcin Oles made changes - 19/Nov/2024 1:24 PM

Resolution	Original: Fixed [ 1 ]
Status	Original: Published [ 12873 ]	New: Draft [ 12872 ]

Marcin Oles made changes - 19/Nov/2024 1:24 PM

Fix Version/s

New: 4.2.9 [ 109792 ]

Mukesh Kumar made changes - 15/Nov/2024 9:35 AM

Resolution		New: Fixed [ 1 ]
Status	Original: Draft [ 12872 ]	New: Published [ 12873 ]

Mukesh Kumar added a comment - 15/Nov/2024 9:35 AM

Closing this ticket as this issue has been fixed in:
1. Sourcetree for Mac 4.2.9
2. Sourcetree for Windows 3.4.20

Mukesh Kumar added a comment - 15/Nov/2024 9:35 AM Closing this ticket as this issue has been fixed in: 1. Sourcetree for Mac 4.2.9 2. Sourcetree for Windows 3.4.20

Security Metrics Bot made changes - 14/Nov/2024 9:25 PM

Fix Version/s

Original: 4.2.9 [ 109792 ]

Arati Mohanty made changes - 11/Oct/2024 9:17 AM

Fix Version/s

New: 4.2.9 [ 109792 ]

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 23/Sep/2024 4:18 AM

Updated:: 19/Nov/2024 10:28 PM

Resolved:: 19/Nov/2024 6:00 PM

Sourcetree For Mac

Details

Description

Attachments

Forms

Activity

Collapse comment: Mukesh Kumar added a comment - 15/Nov/2024 9:35 AM

Expand comment: Mukesh Kumar added a comment - 15/Nov/2024 9:35 AM

People

Dates