• Type: Public Security Vulnerability
• Resolution: Fixed
• Priority: High
• Fix Version/s: 4.2.9, 3.4.20
• Affects Version/s: 4.2.8, 3.4.19
• Component/s: None
• Labels:

  • advisory
  • advisory-to-release
  • dont-import
  • security

[SRCTREE-8168] RCE (Remote Code Execution) in Sourcetree for Mac and Sourcetree for Windows

Security Metrics Bot made changes - 19/Nov/2024 10:28 PM

Vulnerability Classes

Original: RCE (Remote Code Execution) [ 18143 ]

New: Security Misconfiguration,RCE (Remote Code Execution) [ 18148, 18143 ]

prodsec-jac-bot made changes - 19/Nov/2024 6:00 PM

Resolution		New: Fixed [ 1 ]
Security	Original: Atlassian Staff [ 10750 ]
Status	Original: Draft [ 12872 ]	New: Published [ 12873 ]

Zachary Echouafni made changes - 19/Nov/2024 1:58 PM

Description

Original: This High severity RCE (Remote Code Execution) vulnerability was introduced in versions 4.2.8 of Sourcetree for Mac and 3.4.19for Sourcetree for Windows. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.8, allows an unauthenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction. Atlassian recommends that Sourcetree for Mac and Sourcetree for Windows customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:  * Sourcetree for Mac 4.2: Upgrade to a release greater than or equal to 4.2.9  * Sourcetree for Windows 3.4: Upgrade to a release greater than or equal to 3.4.20 See the release notes ([https://www.sourcetreeapp.com/download-archives]). You can download the latest version of Sourcetree for Mac and Sourcetree for Windows from the download center ([https://www.sourcetreeapp.com/download-archives]). This vulnerability was reported via our Penetration Testing program.

New: This High severity RCE (Remote Code Execution) vulnerability was introduced in versions 4.2.8 of Sourcetree for Mac and 3.4.19 for Sourcetree for Windows. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.8, allows an unauthenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction. Atlassian recommends that Sourcetree for Mac and Sourcetree for Windows customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:  * Sourcetree for Mac 4.2: Upgrade to a release greater than or equal to 4.2.9  * Sourcetree for Windows 3.4: Upgrade to a release greater than or equal to 3.4.20 See the release notes ([https://www.sourcetreeapp.com/download-archives]). You can download the latest version of Sourcetree for Mac and Sourcetree for Windows from the download center ([https://www.sourcetreeapp.com/download-archives]). This vulnerability was reported via our Penetration Testing program.

Zachary Echouafni made changes - 19/Nov/2024 1:58 PM

Description

Original: This High severity RCE (Remote Code Execution) vulnerability was introduced in versions 3.4.19 and 4.2.8 of Sourcetree for Mac and Sourcetree for Windows. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.8, allows an unauthenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction. Atlassian recommends that Sourcetree for Mac and Sourcetree for Windows customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Sourcetree for Mac and Sourcetree for Windows 3.4: Upgrade to a release greater than or equal to 3.4.20 See the release notes (https://www.sourcetreeapp.com/download-archives). You can download the latest version of Sourcetree for Mac and Sourcetree for Windows from the download center (https://www.sourcetreeapp.com/download-archives). This vulnerability was reported via our Penetration Testing program.

New: This High severity RCE (Remote Code Execution) vulnerability was introduced in versions 4.2.8 of Sourcetree for Mac and 3.4.19for Sourcetree for Windows. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.8, allows an unauthenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction. Atlassian recommends that Sourcetree for Mac and Sourcetree for Windows customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:  * Sourcetree for Mac 4.2: Upgrade to a release greater than or equal to 4.2.9  * Sourcetree for Windows 3.4: Upgrade to a release greater than or equal to 3.4.20 See the release notes ([https://www.sourcetreeapp.com/download-archives]). You can download the latest version of Sourcetree for Mac and Sourcetree for Windows from the download center ([https://www.sourcetreeapp.com/download-archives]). This vulnerability was reported via our Penetration Testing program.

Marcin Oles made changes - 19/Nov/2024 1:24 PM

Resolution	Original: Fixed [ 1 ]
Status	Original: Published [ 12873 ]	New: Draft [ 12872 ]

Marcin Oles made changes - 19/Nov/2024 1:24 PM

Fix Version/s

New: 4.2.9 [ 109792 ]

Mukesh Kumar made changes - 15/Nov/2024 9:35 AM

Resolution		New: Fixed [ 1 ]
Status	Original: Draft [ 12872 ]	New: Published [ 12873 ]

Security Metrics Bot made changes - 14/Nov/2024 9:25 PM

Fix Version/s

Original: 4.2.9 [ 109792 ]

Arati Mohanty made changes - 11/Oct/2024 9:17 AM

Fix Version/s

New: 4.2.9 [ 109792 ]

Security Metrics Bot made changes - 08/Oct/2024 6:42 PM

CVE ID

New: CVE-2024-21697

Load more older history items