Uploaded image for project: 'Sourcetree for Windows'
  1. Sourcetree for Windows
  2. SRCTREEWIN-13859

Potential 7z.exe vulnerability CVE-2022-29072

    XMLWordPrintable

Details

    • Bug
    • Status: Needs Triage (View Workflow)
    • Low
    • Resolution: Unresolved
    • 3.4.8, 3.4.9
    • None
    • General
    • None
    • Severity 2 - Major

    Description

      7z vulnerability CVE-2022-29072

      I don't know if Atlassian is aware of this issue or not, but doing a vulnerability scan with my AV software it detected 7z.exe under 

      C:\Users\Name\AppData\Local\SourceTree\app-3.4.9\tools

      As a potential point of attack. It sighted the 7-Zip vulnerability CVE-2022-29072 as the problem, now i don't know if sourcetree comes packaged with 7-Zip or not but i thought it was worth while raising the issue, not finding anything about it affecting sourcetree elsewhere.

      Kaspersky Threats — KLA12514

      GitHub - kagancapar/CVE-2022-29072: 7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area.

      ⚠️ New 7-Zip Software Exploit Found! - Here's The Fix - YouTube

      Info on the exploit

      Attachments

        Activity

          People

            Unassigned Unassigned
            f0fae0cd7adb Jonty
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: