Platform Notice: Server and Data Center Only - This article only applies to Atlassian products on the server and data center platforms.

SourceTree - Command Injection - CVE-2017-8768

Note: As of September 2014 we are no longer issuing binary bug patches, instead we create new maintenance releases for the major versions we are backporting.

Summary CVE-2017-8768 - Command Injection Advisory Release Date 10:00 AM PDT (Pacific Time, -7 hours) Products SourceTree for Mac

SourceTree for Windows Affected SourceTree Versions SourceTree for Mac 1.4.0 <= version < 2.5.1

SourceTree for Windows 0.8.4b <= version < 2.0.20.1 Fixed SourceTree Versions Versions of SourceTree for Mac equal to and above 2.5.1 contain a fix for this issue.

Versions of SourceTree for Windows equal to and above 2.0.20.1 contain a fix for this issue. CVE ID(s) CVE-2017-8768



Summary of Vulnerability

This advisory discloses a critical security vulnerability in versions of SourceTree for Mac starting with 1.4.0 but before 2.5.1 and SourceTree for Windows starting with 0.8.4b but before 2.0.20.1.





Customers who have upgraded SourceTree for Mac to version 2.5.1 are not affected. Customers who have upgraded SourceTree for Windows to version 2.0.20.1 are not affected.



Customers who have downloaded and installed SourceTree for Mac (the fixed version for 2.5.x) Customers who have downloaded and installed SourceTree for Windows starting with (the fixed version for 2.0.x)

Please upgrade SourceTree to the latest version to fix this vulnerability.





Command Injection (CVE-2017-8768)

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT environment.





Description

Versions of SourceTree for Mac starting with 1.4.0 but before 2.5.1 are affected by this vulnerability. This issue can be tracked here.

Versions of SourceTree for Windows starting with 0.8.4b but before 2.0.20.1 are affected by this vulnerability. This issue can be tracked here.

What You Need to Do

Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of SourceTree, see the release notes for Mac and Windows. You can download the latest versions of SourceTree from the SourceTree website.

Upgrade SourceTree for Mac to version 2.5.1 or higher. Please note that since SourceTree for Mac 2.5.0 Mac OSX 10.11 or later is required.

Upgrade SourceTree for Windows to version 2.0.20.1 or higher and manually uninstall any older versions of SourceTree for Windows.





Support

If you did not receive an email for this advisory and wish to receive such emails in the future, please https://my.atlassian.com/email and subscribe to "Product information & updates" for SourceTree. To receive advisories for our other products, please https://my.atlassian.com/email and subscribe to relevant .

If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.





Acknowledgments

Atlassian would like to credit Yu Hong for reporting this issue to us.





References

Severity Levels for security issues Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.