SourceTree for Windows Security Advisory 24th March 2021
SourceTree for Windows - Remote Code Injection using Git LFS - CVE-2020-27955 & CVE-2021-21237
要約 | CVE-2020-27955 & CVE-2021-21237 - Remote Code Injection using Git LFS |
|---|---|
勧告のリリース日 | 24 March 2021, 10:00 AM PDT (Pacific Time, -7 hours) |
製品 | SourceTree for Windows |
影響を受けるバージョン | Version 3.4.2 and earlier |
修正済みバージョン | Version 3.4.3 and later |
CVE ID |
脆弱性の概要
This advisory discloses a critical severity security vulnerability which was introduced through the git-lfs library and discovered in version 3.3.9 of SourceTree for Windows. Both CVE-2020-27955 & CVE-2021-21237 refer to the same underlying vulnerability, Remote Code Injection using Git LFS. Versions of SourceTree for Windows starting with 0.9.4 before 3.4.3 (the fixed version for CVE-2020-27955 and CVE-2021-21237) are affected by this vulnerability.
Customers who have upgraded to version 3.4.3 are not affected. |
Customers who have installed versions <= 3.4.2 (the fixed version for versions < 3.4.3) Please upgrade your installations immediately to fix this vulnerability. |
Remote Code Injection using Git LFS - CVE-2020-27955 & CVE-2021-21237
深刻度
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT environment.
説明
Vulnerability occurs when a user clones a malicious repository and tries to enable Git LFS to the repository
Clone the repository
Go to the Repository Tab -> Git LFS -> Start Repo
Loading a malicious repository will allow an attacker to execute arbitrary commands on the system.
All versions of SourceTree for Windows up to and including 3.4.2 are affected by this vulnerability.
この問題はこちらで追跡できます。
SRCTREEWIN-13410 - RCE via git-lfs in Sourcetree for Windows - CVE-2020-27955 CLOSED
SRCTREEWIN-13480 - RCE via git-lfs in Sourcetree for Windows - CVE-2021-21237 CLOSED
Vulnerability References
CVE-2020-27955 advisory from Github: https://github.com/git-lfs/git-lfs/security/advisories/GHSA-4g4p-42wc-9f3m
CVE-2021-21237 advisory from Github: https://github.com/git-lfs/git-lfs/security/advisories/GHSA-cx3w-xqmc-84g5
Original advisory by Dawid Golunski: https://legalhackers.com/advisories/Git-LFS-RCE-Exploit-CVE-2020-27955.html
修正
弊社ではこの問題に対応するために次の対応を行いました。
Released version 3.4.3 that contains a fix for this issue.
必要なアクション
Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of SourceTree for Windows, see the release notes. Download the latest version of the standard installer or the enterprise installer.
Upgrade to version 3.4.3 or higher.
問題の軽減策
Update git and git-lfs on your system to the latest versions and use them in your existing Sourcetree.
サポート
If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails.
If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/ja/.
参考
アトラシアンの新しいポリシーに記載のとおり、重大なセキュリティ バグ修正は、https://www.atlassian.com/trust/security/bug-fix-policy に応じてバックポートされます。新しいポリシーの対象バージョンについては、バイナリ パッチではなく新しいメンテナンス リリースが提供されます。 バイナリ パッチのリリースは終了しています。 | |
アトラシアンのセキュリティ勧告には重大度レベルと CVE ID が含まれます。重大度レベルは、それぞれの脆弱性についてアトラシアンが独自に計算した CVSS スコアに基づきます。CVSS は業界標準の脆弱性メトリックです。CVSS の詳細を FIRST.org でご確認ください。 | |
サポート終了ポリシーは、製品によって異なります。詳細は、アトラシアンの「製品終了ポリシー」を参照してください。 |