[SRCTREEWIN-8257] Mercurial: arbitrary command execution in mercurial repositories with a git submodule - CVE-2017-17458 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: None
Affects Version/s: None
Component/s: None
Labels:

Symptom Severity:
Severity 1 - Critical

The embedded version of Mercurial used in Sourcetree for Windows was vulnerable to CVE-2017-17458. An attacker can exploit this issue if they can commit to a Mercurial repository linked in Sourcetree for Windows by adding a git subrepository specifying arbitrary code in the form of a .git/hooks/post-update script, allowing the attacker to execute arbitrary code on systems running a vulnerable version of Sourcetree for Windows.
Sourcetree for Windows performs background indexing which allows for this issue to be exploited without a user needing to directly interact with the git subrepository. From version 1.4.0 of Sourcetree for Windows, this vulnerability can be triggered from a webpage through the use of the Sourcetree URI handler.

Affected versions:

Versions of Sourcetree for Windows starting with 0.5.1.0 before version 2.4.7.0 are affected by this vulnerability.

Fix:

Upgrade Sourcetree for Windows to version 2.4.7.0 or higher from https://www.sourcetreeapp.com/ .

Acknowledgements
Atlassian would like to credit Zhang Tianqi @ Tophant for reporting this issue to us.

For additional details see the full advisory.

is related to

SRCTREE-5246 Git LFS: Arbitrary command execution in repositories with Git LFS enabled - CVE-2017-17831

Closed

SRCTREEWIN-8261 Git LFS: Arbitrary command execution in repositories with Git LFS enabled - CVE-2017-17831

Closed

relates to

SRCTREE-5244 Mercurial: arbitrary command execution in mercurial repositories with a git submodule - CVE-2017-17458

Closed

SRCTREEWIN-8256 Various argument and command injection issues - CVE-2017-14593

Closed

SECENG-971 Failed to load

David Black made changes - 13/Nov/2019 11:48 PM

Labels

Original: CVE-2017-17458 advisory cvss-critical security

New: CVE-2017-17458 advisory advisory-released cvss-critical security

Monique Khairuliana (Inactive) made changes - 30/Sep/2019 4:22 AM

Workflow

Original: JAC Bug Workflow v3 [ 3453729 ]

New: SRCTREE JAC Bug Workflow [ 3743351 ]

Monique Khairuliana (Inactive) made changes - 26/Aug/2019 5:15 AM

Workflow

Original: SourceTree Bug Workflow [ 2494866 ]

New: JAC Bug Workflow v3 [ 3453729 ]

David Black made changes - 08/Mar/2018 6:08 AM

Description

Original: The embedded version of Mercurial used in Sourcetree for Windows was vulnerable to CVE-2017-17458. An attacker can exploit this issue if they can commit to a Mercurial repository linked in Sourcetree for Windows by adding a git subrepository specifying arbitrary code in the form of a .git/hooks/post-update script, allowing the attacker to execute arbitrary code on systems running a vulnerable version of Sourcetree for Windows.
Sourcetree for Windows performs background indexing which allows for this issue to be exploited without a user needing to directly interact with the git subrepository. From version 1.4.0 of Sourcetree for Windows, this vulnerability can be triggered from a webpage through the use of the Sourcetree URI handler.

*Affected versions:*
* Versions of Sourcetree for Windows starting with 0.5.1.0 before version 2.4.7.0 are affected by this vulnerability.

*Fix:*
* Upgrade Sourcetree for Windows to version 2.4.7.0 or higher from https://www.sourcetreeapp.com/ .

*Acknowledgements*
Atlassian would like to credit ZhangTianqi @ Tophant for reporting this issue to us.

For additional details see the [full advisory|https://confluence.atlassian.com/x/lIIyO].

New: The embedded version of Mercurial used in Sourcetree for Windows was vulnerable to CVE-2017-17458. An attacker can exploit this issue if they can commit to a Mercurial repository linked in Sourcetree for Windows by adding a git subrepository specifying arbitrary code in the form of a .git/hooks/post-update script, allowing the attacker to execute arbitrary code on systems running a vulnerable version of Sourcetree for Windows.
Sourcetree for Windows performs background indexing which allows for this issue to be exploited without a user needing to directly interact with the git subrepository. From version 1.4.0 of Sourcetree for Windows, this vulnerability can be triggered from a webpage through the use of the Sourcetree URI handler.

*Affected versions:*
* Versions of Sourcetree for Windows starting with 0.5.1.0 before version 2.4.7.0 are affected by this vulnerability.

*Fix:*
* Upgrade Sourcetree for Windows to version 2.4.7.0 or higher from [https://www.sourcetreeapp.com/] .

*Acknowledgements*
Atlassian would like to credit Zhang Tianqi @ Tophant for reporting this issue to us.

For additional details see the [full advisory|https://confluence.atlassian.com/x/lIIyO].

Security Metrics Bot made changes - 24/Jan/2018 5:52 PM

Security

Original: Reporter and Atlassian Staff [ 10751 ]

David Black made changes - 21/Dec/2017 11:21 PM

Description

New: The embedded version of Mercurial used in Sourcetree for Windows was vulnerable to CVE-2017-17458. An attacker can exploit this issue if they can commit to a Mercurial repository linked in Sourcetree for Windows by adding a git subrepository specifying arbitrary code in the form of a .git/hooks/post-update script, allowing the attacker to execute arbitrary code on systems running a vulnerable version of Sourcetree for Windows.
Sourcetree for Windows performs background indexing which allows for this issue to be exploited without a user needing to directly interact with the git subrepository. From version 1.4.0 of Sourcetree for Windows, this vulnerability can be triggered from a webpage through the use of the Sourcetree URI handler.

*Affected versions:*
* Versions of Sourcetree for Windows starting with 0.5.1.0 before version 2.4.7.0 are affected by this vulnerability.

*Fix:*
* Upgrade Sourcetree for Windows to version 2.4.7.0 or higher from https://www.sourcetreeapp.com/ .

*Acknowledgements*
Atlassian would like to credit ZhangTianqi @ Tophant for reporting this issue to us.

For additional details see the [full advisory|https://confluence.atlassian.com/x/lIIyO].

David Black made changes - 21/Dec/2017 11:14 PM

Link

New: This issue is related to ~~SRCTREE-5247~~ [ ~~SRCTREE-5247~~ ]

David Black made changes - 21/Dec/2017 5:05 AM

Link

New: This issue is related to ~~SRCTREE-5246~~ [ ~~SRCTREE-5246~~ ]

David Black made changes - 21/Dec/2017 4:48 AM

Link

New: This issue relates to SRCTREEWIN-8119 [ SRCTREEWIN-8119 ]

David Black made changes - 21/Dec/2017 4:47 AM

Link

New: This issue relates to ~~SRCTREE-5244~~ [ ~~SRCTREE-5244~~ ]

Assignee:: Unassigned

Reporter:: David Black

Affected customers:: 0 This affects my team

Watchers:: 1 Start watching this issue

Created:: 21/Dec/2017 4:45 AM

Updated:: 13/Nov/2019 11:48 PM

Resolved:: 21/Dec/2017 4:47 AM

Sourcetree for Windows

Details

Description

Attachments

Issue Links

Forms

Activity

[SRCTREEWIN-8257] Mercurial: arbitrary command execution in mercurial repositories with a git submodule - CVE-2017-17458

People

Dates