Remote code execution vulnerability for Sourcetree for Windows - CVE-2019-11582
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
69.4%
There was an argument injection vulnerability in SourceTree for Windows in URI handlers. A remote, unauthenticated attacker was required to convince a user to interact with a crafted URL in order to exploit the vulnerability. With user interaction, an attacker could gained remote code execution on the target system by exploiting this issue.
Versions of Sourcetree for Windows starting with 0.5a before 3.1.3 are affected by this vulnerability.
For additional details, see the full advisory:Ā [https://confluence.atlassian.com/display/SOURCETREEKB/Sourcetree+Security+Advisory+2019-06-05]
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| sourcetree for windows | le | 0.5a | |
| sourcetree for windows | lt | 3.1.3 |
Related
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
69.4%