On July 23, the Sourcetree client was exposed to a remote code execution vulnerability (CVE-2018-11235). The vulnerability stems from the embedded Git in Sourcetree, which can be exploited by an attacker to execute arbitrary code on an affected system when using Sourcetree to commit, clone, or interact with a user’s submodule.
Description
The embedded version of Git used in Sourcetree for macOS was vulnerable to CVE-2018-11235. An attacker can exploit this issue if they can commit to a Git repository linked in Sourcetree for macOS or that has been recursively cloned or if a user interacts with a submodule. This allows them to execute arbitrary code
on systems running a vulnerable version of Sourcetree for macOS. Versions of Sourcetree for macOS starting with version 1.02b before version 2.7.4 are affected by this vulnerability. This issue can be tracked at:
https://jira.atlassian.com/browse/SRCTREE-5845 .
Affected version
- Sourcetree for Windows: 0.5.1.0 <= version < 2.6.10
- Sourcetree for Mac OS: 1.0b2 <= version < 2.7.6
Unaffected version
- Sourcetree for Windows: version 2.6.10
- Sourcetree for Mac OS: version 2.7.6
Solution
Sourcetree officially has released a new version to fix the above vulnerability, please affect the affected users as soon as possible to upgrade.
