[SRCTREEWIN-11917] Remote code execution vulnerability for Sourcetree for Windows - CVE-2019-11582 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 3.1.3
Affects Version/s: 0.5a
Component/s: None
Labels:

Symptom Severity:
Severity 1 - Critical

There was an argument injection vulnerability in SourceTree for Windows in URI handlers. A remote, unauthenticated attacker was required to convince a user to interact with a crafted URL in order to exploit the vulnerability. With user interaction, an attacker could gained remote code execution on the target system by exploiting this issue.

Versions of Sourcetree for Windows starting with 0.5a before 3.1.3 are affected by this vulnerability.

For additional details, see the full advisory: https://confluence.atlassian.com/display/SOURCETREEKB/Sourcetree+Security+Advisory+2019-06-05

mentioned in: Page Failed to load; Page Failed to load

relates to: SRCTREE-6943 Failed to load

logcabin (Inactive) added a comment - 28/May/2019 7:02 PM

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 9.6 => Critical severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	Required

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	High
Integrity	High
Availability	High

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

logcabin (Inactive) added a comment - 28/May/2019 7:02 PM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 9.6 => Critical severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction Required Scope Metric Scope Changed Impact Metrics Confidentiality High Integrity High Availability High https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Assignee:: Unassigned

Reporter:: logcabin (Inactive)

Affected customers:: 0 This affects my team

Watchers:: 3 Start watching this issue

Created:: 28/May/2019 6:58 PM

Updated:: 13/Jun/2019 11:41 PM

Resolved:: 13/Jun/2019 11:32 PM

Sourcetree for Windows

Details

Description

Attachments

Issue Links

Forms

Activity

[SRCTREEWIN-11917] Remote code execution vulnerability for Sourcetree for Windows - CVE-2019-11582

Collapse comment: logcabin (Inactive) added a comment - 28/May/2019 7:02 PM

Expand comment: logcabin (Inactive) added a comment - 28/May/2019 7:02 PM

People

Dates