SourceTree Security Advisory 2017-05-10
プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Fisheye および Crucible は除く
SourceTree - Command Injection - CVE-2017-8768
Note: As of September 2014 we are no longer issuing binary bug patches, instead we create new maintenance releases for the major versions we are backporting.
| 要約 | CVE-2017-8768 - Command Injection |
|---|---|
| 勧告のリリース日 | 10:00 AM PDT (Pacific Time, -7 hours) |
| 製品 |
|
Affected SourceTree Versions |
|
Fixed SourceTree Versions |
|
| CVE ID |
|
脆弱性の概要
This advisory discloses a critical security vulnerability in versions of SourceTree for Mac starting with 1.4.0 but before 2.5.1 and SourceTree for Windows starting with 0.8.4b but before 2.0.20.1.
Customers who have upgraded SourceTree for Mac to version 2.5.1 are not affected.
Customers who have upgraded SourceTree for Windows to version 2.0.20.1 are not affected.
Customers who have downloaded and installed SourceTree for Mac starting with 1.4.0 but before 2.5.1 (the fixed version for 2.5.x)
Customers who have downloaded and installed SourceTree for Windows starting with 0.8.4b but before 2.0.20.1 (the fixed version for 2.0.x)
Please upgrade SourceTree to the latest version to fix this vulnerability.
Command Injection (CVE-2017-8768)
深刻度
アトラシアンはアトラシアンの深刻度レベルで公開されているスケールに従って、この脆弱性の深刻度レベルを重大として評価しています。このスケールによって、深刻度を重大、高度、中度、低度として評価できます。
これはアトラシアンの評価であり、お客様自身の IT 環境への適用性を評価する必要があります。
説明
SourceTree for Mac and Windows are affected by a command injection vulnerability in URI handling. The vulnerability can be triggered through a browser or the SourceTree interface.
Versions of SourceTree for Mac starting with 1.4.0 but before 2.5.1 are affected by this vulnerability. This issue can be tracked here.
Versions of SourceTree for Windows starting with 0.8.4b but before 2.0.20.1 are affected by this vulnerability. This issue can be tracked here.
必要なアクション
Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of SourceTree, see the release notes for Mac and Windows. You can download the latest versions of SourceTree from the SourceTree website.
Upgrade SourceTree for Mac to version 2.5.1 or higher. Please note that since SourceTree for Mac 2.5.0 Mac OSX 10.11 or later is required.
Upgrade SourceTree for Windows to version 2.0.20.1 or higher and manually uninstall any older versions of SourceTree for Windows.
サポート
If you did not receive an email for this advisory and wish to receive such emails in the future, please go to https://my.atlassian.com/email and subscribe to "Product information & updates" for SourceTree. To receive advisories for our other products, please go to https://my.atlassian.com/email and subscribe to relevant alerts.
この勧告に関してご質問や懸念がある場合は、https://support.atlassian.com/ja/ でサポート リクエストを作成してください。
謝辞
Atlassian would like to credit Yu Hong for reporting this issue to us.
参考
| セキュリティの問題の重大度レベル | アトラシアンのセキュリティ勧告には重大度レベルと CVE ID が含まれます。重大度レベルは、それぞれの脆弱性についてアトラシアンが独自に計算した CVSS スコアに基づきます。CVSS は業界標準の脆弱性メトリックです。CVSS の詳細を FIRST.org でご確認ください。 |