Shell Injection in SourceTree for Mac

2017-01-17T04:45:59
ID ATLASSIAN:SRCTREE-4481
Type atlassian
Reporter dblack
Modified 2019-01-14T20:25:44

Description

SourceTree for Mac had a shell injection vulnerability starting with 1.9.8 prior to 2.3.1 (the fixed version). By visiting a malicious website or by convincing a user to click a sourcetree:// URL with a vulnerable version of SourceTree for Mac installed an attacker could use a shell injection vulnerability to execute arbitrary commands on a victims machine.

Affected versions: * All versions of SourceTree for Mac from 1.9.8 before 2.3.1 (the fixed version) are affected by this vulnerability. 

h4. Fix: * SourceTree for Mac version 2.3.2 is available for download from [https://www.sourcetreeapp.com/?v=mac.|https://www.sourcetreeapp.com/?v=mac]

Acknowledgements:

We would like to credit Matthew Diaz of NCC Group Security Advisory for reporting this issue to us.