Uploaded image for project: 'Sourcetree for Windows'
  1. Sourcetree for Windows
  2. SRCTREEWIN-8257

Mercurial: arbitrary command execution in mercurial repositories with a git submodule - CVE-2017-17458

XMLWordPrintable

    • Severity 1 - Critical

      The embedded version of Mercurial used in Sourcetree for Windows was vulnerable to CVE-2017-17458. An attacker can exploit this issue if they can commit to a Mercurial repository linked in Sourcetree for Windows by adding a git subrepository specifying arbitrary code in the form of a .git/hooks/post-update script, allowing the attacker to execute arbitrary code on systems running a vulnerable version of Sourcetree for Windows.
      Sourcetree for Windows performs background indexing which allows for this issue to be exploited without a user needing to directly interact with the git subrepository. From version 1.4.0 of Sourcetree for Windows, this vulnerability can be triggered from a webpage through the use of the Sourcetree URI handler.

      Affected versions:

      • Versions of Sourcetree for Windows starting with 0.5.1.0 before version 2.4.7.0 are affected by this vulnerability.

      Fix:

      Acknowledgements
      Atlassian would like to credit Zhang Tianqi @ Tophant for reporting this issue to us.

      For additional details see the full advisory.

              Unassigned Unassigned
              dblack David Black
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: