Back to list
Advisory - Sourcetree for Windows - CVE-2018-5226
Apr 30 2018 03:02AM
Atlassian (security atlassian com)
-----BEGIN PGP SIGNED MESSAGE-----
This email refers to the advisory found at
Product: Sourcetree for Windows.
Affected Sourcetree for Windows product versions:
version < 220.127.116.11
Fixed Sourcetree for Windows product versions:
* Sourcetree for Windows 18.104.22.168 has been released with a fix for this issue.
This advisory discloses a critical severity security vulnerability. Versions of
Sourcetree for Windows before version 22.214.171.124 are affected by this
Customers who have upgraded Sourcetree for Windows to version 126.96.36.199 are not
Customers using Sourcetree for Mac are not affected.
Customers who have downloaded and installed Sourcetree for Windows less than
188.8.131.52 please upgrade your Sourcetree for Windows installations immediately to
fix this vulnerability.
SourceTree for Windows - Argument injection via Mercurial tag names -
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT
There was an argument injection vulnerability in Sourcetree for Windows via
Mercurial repository tag name that is going to be deleted. An attacker with
permission to create a tag on a Mercurial repository linked in Sourcetree for
Windows is able to exploit this issue to gain code execution on the system. All
versions of Sourcetree for Windows before 184.108.40.206 are affected by this
Versions of Sourcetree for Windows before version 220.127.116.11 are affected by this
vulnerability. This issue can be tracked at:
To address this issue, we've released the following versions containing a fix:
* Sourcetree for Windows version 18.104.22.168
Upgrade Sourcetree for Windows to version 22.214.171.124 or higher.
The vulnerabilities and fix versions are described above. If affected, you
should upgrade to the latest version immediately.
For a full description of the latest version of Sourcetree for Windows, see
the release notes found at
download the latest version of Sourcetree for Windows from the download centre
found at https://www.sourcetreeapp.com/.
Atlassian would like to credit ZhangTianqi @ Tophant for reporting this issue to
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
[ reply ]
Copyright 2010, SecurityFocus