Technical Advisory: Shell Injection in SourceTree

Vendor: Atlassian
Vendor URL:
Versions affected: v1.9.8 known affected version, earlier versions possible
Systems Affected: Mac OS X known affected, others possible
Author: Daniel Crowley <daniel.crowley[at]nccgroup[dot]trust>
Advisory URL / CVE Identifier:
Risk: Critical (reliable remote code execution)


SourceTree is a product for working with various types of code repositories.

SourceTree registers its own URL handler for sourcetree:// URLs, which is vulnerable to shell command injection.


sourcetree:// URL handler


Attackers can execute arbitrary shell commands on computers running SourceTree 1.9.8 or earlier by getting a user to visit a malicious website or click a sourcetree:// URL.


SourceTree v1.9.8 and earlier are affected by a shell injection flaw in the handling of sourcetree:// URLs. The checkoutRef action uses the cloneURL variable as part of a shell command without proper sanitization. It is possible to trigger this through a browser using a META refresh tag which redirects to a sourcetree:// URL.


Upgrade to the latest version of SourceTree.

Vendor Communication

2016-10-06 - Initial contact with Atlassian to request a security
2016-10-06 - Atlassian notes that it has a portal for reporting
   vulnerabilities and provides invites, as well as providing a
   PGP key
2016-10-12 - Provided Atlassian with a draft of this document and
   proof of concept exploit via email with PGP
2016-10-14 - Atlassian notes that the latest version of SourceTree,
   version 2.3.1, is not vulnerable
2016-10-20 - Asked Atlassian to confirm that we are OK to publish
   since the latest version is not vulnerable
2016-10-26 - Atlassian agrees but asks for a severity rating to
   ensure we publish with the same severity rating
2017-01-16 - Notified Atlassian that we identify the severity as
2017-01-16 - Atlassian asks us to notify them when we are going
   to release the advisory so they can coordinate their release
2017-02-15 - Notified Atlassian by email that we are preparing the
   advisory for release

Thanks to

Syndis - For discovering the bug

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

Published date:  24 February 2017

comments powered by Disqus

Filter By Service

Filter By Type