Technical Advisory: Shell Injection in SourceTree
Vendor: Atlassian Vendor URL: http://atlassian.com Versions affected: v1.9.8 known affected version, earlier versions possible Systems Affected: Mac OS X known affected, others possible Author: Daniel Crowley <daniel.crowley[at]nccgroup[dot]trust> Advisory URL / CVE Identifier: https://jira.atlassian.com/browse/SRCTREE-4481 Risk: Critical (reliable remote code execution)
SourceTree is a product for working with various types of code repositories.
SourceTree registers its own URL handler for
sourcetree:// URLs, which is vulnerable to shell command injection.
sourcetree:// URL handler
Attackers can execute arbitrary shell commands on computers running SourceTree 1.9.8 or earlier by getting a user to visit a malicious website or click a
SourceTree v1.9.8 and earlier are affected by a shell injection flaw in the handling of
sourcetree:// URLs. The
checkoutRef action uses the
cloneURL variable as part of a shell command without proper sanitization. It is possible to trigger this through a browser using a META refresh tag which redirects to a
Upgrade to the latest version of SourceTree.
2016-10-06 - Initial contact with Atlassian to request a security contact 2016-10-06 - Atlassian notes that it has a portal for reporting vulnerabilities and provides invites, as well as providing a PGP key 2016-10-12 - Provided Atlassian with a draft of this document and proof of concept exploit via email with PGP 2016-10-14 - Atlassian notes that the latest version of SourceTree, version 2.3.1, is not vulnerable 2016-10-20 - Asked Atlassian to confirm that we are OK to publish since the latest version is not vulnerable 2016-10-26 - Atlassian agrees but asks for a severity rating to ensure we publish with the same severity rating 2017-01-16 - Notified Atlassian that we identify the severity as critical 2017-01-16 - Atlassian asks us to notify them when we are going to release the advisory so they can coordinate their release 2017-02-15 - Notified Atlassian by email that we are preparing the advisory for release
Syndis - For discovering the bug
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.
Published date:  24 February 2017