[SRCTREEWIN-13182] Git submodules vulnerability in Sourcetree for Windows - CVE-2020-5260 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 3.3.9
Affects Version/s: 3.2.2
Component/s: Git
Labels:

Symptom Severity:
Severity 2 - Major

There was a vulnerability in Sourcetree for macOS and windows that could reveal Git user credentials via maliciously crafted URL by an attacker, This vulnerability is triggered when the affected version of Git is used to execute a git clone command on a malicious URL.

Affected versions of Atlassian Sourcetree For Mac allow remote attackers to view sensitive information via an Information Disclosure vulnerability in Git.

Affected versions of Atlassian Sourcetree for Windows allow remote attackers to view sensitive information via an Information Disclosure vulnerability in Git.

Affected versions:

Windows version 3.2.2 and earlier

Fixed versions:

Windows version 3.3.9

Released Sourcetree for Windows version 3.3.9 that contains fixes for these issues and can be downloaded from https://www.sourcetreeapp.com/.

For additional details, see the full advisory

mentioned in: Page Failed to load; Page Failed to load

Security Metrics Bot added a comment - 18/Aug/2020 4:57 PM

This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 9.3 => Critical severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	Required

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	High
Integrity	High
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Security Metrics Bot added a comment - 18/Aug/2020 4:57 PM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 9.3 => Critical severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction Required Scope Metric Scope Changed Impact Metrics Confidentiality High Integrity High Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Affected customers:: 0 This affects my team

Watchers:: 2 Start watching this issue

Created:: 18/Aug/2020 4:57 PM

Updated:: 19/Nov/2020 4:39 AM

Resolved:: 25/Aug/2020 1:04 AM

Sourcetree for Windows

Details

Description

Attachments

Issue Links

Forms

Activity

[SRCTREEWIN-13182] Git submodules vulnerability in Sourcetree for Windows - CVE-2020-5260

Collapse comment: Security Metrics Bot added a comment - 18/Aug/2020 4:57 PM

Expand comment: Security Metrics Bot added a comment - 18/Aug/2020 4:57 PM

People

Dates