CVE-2024-21697: High Severity Flaw in Sourcetree Enables Remote Code Execution
Atlassian has issued a security advisory warning of a critical remote code execution (RCE) vulnerability in its popular Sourcetree software for Mac and Windows. Tracked as CVE-2024-21697 and scoring an 8.8 on the CVSS scale, this flaw could allow attackers to take complete control of affected systems.
Sourcetree, a free Git GUI client used by millions of developers worldwide, simplifies version control management with a user-friendly visual interface. However, this vulnerability, introduced in versions 4.2.8 for Mac and 3.4.19 for Windows, poses a significant risk to users who haven’t updated their software.
“This RCE (Remote Code Execution) vulnerability… allows an unauthenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction,” Atlassian explains in their advisory.
This means that attackers could potentially exploit this vulnerability to install malware, steal sensitive data, or disrupt system operations. While user interaction is required, attackers could employ social engineering tactics or malicious links to trick users into triggering the exploit.
Affected Versions:
- Sourcetree for Mac: Versions 4.2.8 and earlier
- Sourcetree for Windows: Versions 3.4.19 and earlier
Mitigation:
Atlassian strongly recommends that all users upgrade to the latest version of Sourcetree. If updating to the latest version is not immediately feasible, users should upgrade to one of the following fixed versions:
- Sourcetree for Mac 4.2: Upgrade to version 4.2.9 or later
- Sourcetree for Windows 3.4: Upgrade to version 3.4.20 or later
