Argument and Command Injection Vulnerability in Sourcetree for Windows by Atlassian
CVE-2017-14593

8.8HIGH

Key Information:

Vendor
Atlassian
Status
Sourcetree For Windows
Vendor
CVE Published:
26 January 2018

Summary

Sourcetree for Windows contains vulnerabilities that involve argument and command injection through its handling of Mercurial and Git repositories. An attacker possessing the necessary permissions to commit to a linked repository can exploit these vulnerabilities, enabling them to execute arbitrary code on an affected system. This issue can be triggered through the Sourcetree URI handler, particularly from a webpage, affecting users from version 0.5.1.0 up to but not including 2.4.7.0. It is crucial for users to ensure that they are running secure versions of the software to mitigate potential attacks.

Affected Version(s)

Sourcetree for Windows Versions starting with 0.5.1.0 before version 2.4.7.0

References

http://www.securityfocus.com/bid/102926
vdb-entryx_refsource_BID
https://jira.atlassian.com/browse/SRCTREEWIN-8256
x_refsource_CONFIRM
https://confluence.atlassian.com/sourcetreekb/sourcetree-...
x_refsource_CONFIRM

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.