Uploaded image for project: 'Sourcetree for Windows'
  1. Sourcetree for Windows
  2. SRCTREEWIN-11291

Command Injection via URI handling in Sourcetree for Windows - CVE-2018-20236

XMLWordPrintable

    • Severity 1 - Critical

      There was an command injection vulnerability in Sourcetree for Windows via URI handling. A remote attacker could send a malicious URI to a victim using Sourcetree for Windows to exploit this issue to gain code execution on the system.

      Affected versions:

      • Versions of Sourcetree for Windows before version 3.0.10 are affected by this vulnerability

      Fix:

      For additional details see the full advisory: https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2019-03-06-966678691.html

            [SRCTREEWIN-11291] Command Injection via URI handling in Sourcetree for Windows - CVE-2018-20236

            Eric Franklin (Inactive) made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 847669 ]
            Eric Franklin (Inactive) made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 846155 ]
            Monique Khairuliana (Inactive) made changes -
            Workflow Original: JAC Bug Workflow v3 [ 3453121 ] New: SRCTREE JAC Bug Workflow [ 3745030 ]
            Monique Khairuliana (Inactive) made changes -
            Workflow Original: SourceTree Bug Workflow [ 3089791 ] New: JAC Bug Workflow v3 [ 3453121 ]
            David Black made changes -
            Labels Original: CVE-2018-20236 advisory advisory-to-release bugbounty command-injection cvss-critical security New: CVE-2018-20236 advisory advisory-released bugbounty command-injection cvss-critical security
            Erin Jensby made changes -
            Security Original: Atlassian Staff [ 10750 ]
            Erin Jensby made changes -
            Description Original: There was an command injection vulnerability in Sourcetree for Windows via URI handling. A remote attacker could send a malicious URI to a victim using Sourcetree for Windows to exploit this issue to gain code execution on the system.
            h4. Affected versions:
             * Versions of Sourcetree for Windows before version 3.0.10 are affected by this vulnerability

            h4. Fix:
             * Upgrade Sourcetree for Windows to version 3.0.10 or higher from [https://www.sourcetreeapp.com/]

            For additional details see the full advisory. <CAC page here>

                          		New: There was an command injection vulnerability in Sourcetree for Windows via URI handling. A remote attacker could send a malicious URI to a victim using Sourcetree for Windows to exploit this issue to gain code execution on the system.
            h4. Affected versions:
             * Versions of Sourcetree for Windows before version 3.0.10 are affected by this vulnerability

            h4. Fix:
             * Upgrade Sourcetree for Windows to version 3.0.10 or higher from [https://www.sourcetreeapp.com/]

            For additional details see the full advisory: https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2019-03-06-966678691.html
            AB made changes -
            Remote Link Original: This issue links to "Page (Confluence)" [ 410421 ]
            Clement made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 412621 ]
            AB made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 410421 ]

              Unassigned Unassigned
              ejensby Erin Jensby
              Affected customers:
              0 This affects my team
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: