[SRCTREEWIN-8261] Git LFS: Arbitrary command execution in repositories with Git LFS enabled - CVE-2017-17831 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 2.4.7.0
Affects Version/s: None
Component/s: None
Labels:

Symptom Severity:
Severity 1 - Critical

The embedded version of Git LFS used in Sourcetree for Windows was vulnerable to CVE-2017-17831. An attacker can exploit this issue if they can commit to a git repository linked in Sourcetree for Windows by adding a .lfsconfig file containing a malicious lfs url, allowing them to execute arbitrary code on systems running a vulnerable version of Sourcetree for Windows. This vulnerability can also be triggered from a web page through the use of the Sourcetree URI handler.

Affected versions:

Versions of Sourcetree for Windows starting with 1.7.0 before version 2.4.7.0 are affected by this vulnerability.

Fix:

Upgrade Sourcetree for Windows to version 2.4.7.0 or higher from https://www.sourcetreeapp.com/ .

For additional details see the full advisory.

relates to

SRCTREE-5243 Various argument and command injection issues in Sourcetree for macOS - CVE-2017-14592

Closed

SRCTREE-5244 Mercurial: arbitrary command execution in mercurial repositories with a git submodule - CVE-2017-17458

Closed

SRCTREE-5246 Git LFS: Arbitrary command execution in repositories with Git LFS enabled - CVE-2017-17831

Closed

SRCTREEWIN-8256 Various argument and command injection issues - CVE-2017-14593

Closed

SRCTREEWIN-8257 Mercurial: arbitrary command execution in mercurial repositories with a git submodule - CVE-2017-17458

Closed

SECENG-971 Loading...

(1 relates to)

David Black added a comment - 21/Dec/2017 11:16 PM

CVSS v3 score: 9.6 => Critical severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	Required

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	High
Integrity	High
Availability	High

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

David Black added a comment - 21/Dec/2017 11:16 PM CVSS v3 score: 9.6 => Critical severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction Required Scope Metric Scope Changed Impact Metrics Confidentiality High Integrity High Availability High https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Assignee:: Unassigned

Reporter:: David Black

Affected customers:: 0 This affects my team

Watchers:: 1 Start watching this issue

Created:: 21/Dec/2017 11:14 PM

Updated:: 13/Nov/2019 11:50 PM

Resolved:: 21/Dec/2017 11:17 PM

Sourcetree for Windows

Details

Description

Attachments

Issue Links

Forms

Activity

[SRCTREEWIN-8261] Git LFS: Arbitrary command execution in repositories with Git LFS enabled - CVE-2017-17831

Collapse comment: David Black added a comment - 21/Dec/2017 11:16 PM

Expand comment: David Black added a comment - 21/Dec/2017 11:16 PM

People

Dates