Uploaded image for project: 'Sourcetree for Windows'
  1. Sourcetree for Windows
  2. SRCTREEWIN-13410

RCE via git-lfs in Sourcetree for Windows - CVE-2020-27955

XMLWordPrintable

    • Severity 1 - Critical

      There was an argument injection vulnerability in SourceTree for Windows introduced through git-lfs. An attacker could create a malicious repository which, after being cloned in SourceTree for Windows and enabled with git-lfs, is able to exploit this issue to gain code execution on the system.

      Affected versions:

      • Version 3.3.9 and earlier

       

      Fix

       

      For additional details, see the full advisory

            [SRCTREEWIN-13410] RCE via git-lfs in Sourcetree for Windows - CVE-2020-27955

            Eric Franklin (Inactive) made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 847573 ]
            Eric Franklin (Inactive) made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 846036 ]
            Mitchell Johnson made changes -
            Security Original: Atlassian Staff [ 10750 ]
            Mitchell Johnson made changes -
            Description Original: There was an argument injection vulnerability in SourceTree for Windows introduced through git-lfs. An attacker could create a malicious repository which, after being cloned in SourceTree for Windows and enabled with git-lfs, is able to exploit this issue to gain code execution on the system.

            *Affected versions:*
             * Version 3.3.9 and earlier

             

            *Fix*
             * You can download the latest version of the [standard installer|https://product-downloads.atlassian.com/software/sourcetree/windows/ga/SourceTreeSetup-3.3.9.exe] or the [enterprise installer|https://product-downloads.atlassian.com/software/sourcetree/windows/ga/SourcetreeEnterpriseSetup_3.3.9.msi].

             

            For additional details, see the [full advisory|https://confluence.atlassian.com/display/SOURCETREEKB/SourceTree+for+Windows+Security+Advisory+27th+January+2021]             		New: There was an argument injection vulnerability in SourceTree for Windows introduced through git-lfs. An attacker could create a malicious repository which, after being cloned in SourceTree for Windows and enabled with git-lfs, is able to exploit this issue to gain code execution on the system.

            *Affected versions:*
             * Version 3.3.9 and earlier

             

            *Fix*
             * You can download the latest version of the [standard installer|https://product-downloads.atlassian.com/software/sourcetree/windows/ga/SourceTreeSetup-3.3.9.exe] or the [enterprise installer|https://product-downloads.atlassian.com/software/sourcetree/windows/ga/SourcetreeEnterpriseSetup_3.3.9.msi].

             

            For additional details, see the [full advisory|https://confluence.atlassian.com/display/SOURCETREEKB/SourceTree+for+Windows+Security+Advisory+24th+March+2021]
            Mitchell Johnson made changes -
            Link New: This issue was cloned as SRCTREEWIN-13480 [ SRCTREEWIN-13480 ]
            Clement made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 525376 ]
            Mitchell Johnson made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 524070 ]
            Mitchell Johnson made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 524069 ]
            Mitchell Johnson made changes -
            Resolution New: Fixed [ 1 ]
            Status Original: Needs Triage [ 10030 ] New: Closed [ 6 ]
            Mitchell Johnson made changes -
            Labels New: advisory cvss-critical security

              Unassigned Unassigned
              mjohnson2@atlassian.com Mitchell Johnson
              Affected customers:
              0 This affects my team
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: