Argument Injection Vulnerability in Sourcetree for macOS by Atlassian
CVE-2018-13385

9.8CRITICAL

Key Information:

Vendor: Atlassian
Status: Sourcetree For Mac OS
Vendor: CVE Published:; 24 July 2018

What is CVE-2018-13385?

An argument injection vulnerability exists in the Sourcetree application for macOS, allowing attackers with commit permissions in linked Mercurial repositories to exploit this flaw. By manipulating filenames, they can potentially execute arbitrary code on the victim's system. This issue affects all versions from 1.0b2 up to, but not including, 2.7.6. Users are recommended to update to the latest version to mitigate this security risk.

Affected Version(s)

Sourcetree for macOS < 2.7.6

References

https://jira.atlassian.com/browse/SRCTREE-5846

x_refsource_CONFIRM

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 24, 2018
Vulnerability Reserved
Jul 6, 2018