May 2017 - SourceTree - Critical Security Advisory
-----BEGIN PGP SIGNED MESSAGE-----
This email refers to the advisory found at
Affected SourceTree product versions:
* SourceTree for Mac 1.4.0 <= version < 2.5.1
* SourceTree for Windows 0.8.4b <= version < 220.127.116.11
Fixed SourceTree product versions:
* Versions of SourceTree for Mac equal to and above 2.5.1 contain a
fix for this issue.
* Versions of SourceTree for Windows equal to and above 18.104.22.168
contain a fix for this issue.
This advisory discloses a critical security vulnerability in versions
of SourceTree for Mac starting with 1.4.0 but before 2.5.1 and
SourceTree for Windows starting with 0.8.4b but before 22.214.171.124.
Customers who have upgraded SourceTree for Mac to version 2.5.1 are
Customers who have upgraded SourceTree for Windows to version 126.96.36.199
are not affected.
Customers who have downloaded and installed SourceTree for Mac
starting with 1.4.0 but before 2.5.1 (the fixed version for 2.5.x) or
who have downloaded and installed SourceTree for Windows starting with
0.8.4b but before 188.8.131.52 (the fixed version for 2.0.x) please
upgrade SourceTree to the latest version to fix this vulnerability.
Command Injection - CVE-2017-8768:
Atlassian rates the severity level of this vulnerability as critical,
according to the scale published in our Atlassian severity levels. The
scale allows us to rank the severity as critical, high, moderate or
This is our assessment and you should evaluate its applicability to
your own IT environment.
SourceTree for Mac and Windows are affected by a command injection
vulnerability in URI handling. The vulnerability can be triggered
through a browser or the SourceTree interface.
Versions of SourceTree for Mac starting with 1.4.0 but before 2.5.1
and versions of SourceTree for Windows starting with 0.8.4b but before
184.108.40.206 are affected by this vulnerability. The issue for SourceTree
for Mac can found at https://jira.atlassian.com/browse/SRCTREE-4738
and for SourceTree for Windows at
Upgrade SourceTree for Mac to version 2.5.1 or higher. Please note
that since SourceTree for Mac 2.5.0 Mac OSX 10.11 or later is
Upgrade SourceTree for Windows to version 220.127.116.11 or higher.
For a full description of the latest version of SourceTree, see the
release notes for Mac
(https://www.sourcetreeapp.com/update/releasenotes/2.5.1.html) and for
You can download the latest version of SourceTree from
Atlassian would like to credit Yu Hong for reporting this issue to us.
If you have questions or concerns regarding this advisory, please
raise a support request at https://support.atlassian.com/.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----