Sourcetree Security Advisory 2018-04-25

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

Sourcetree - Argument injection via Mercurial tag names on Windows - CVE-2018-5226

要約

CVE-2018-5226 - Argument injection through the name of a tag for Windows

勧告のリリース日

 10:00 AM PDT (Pacific Time, -7 hours)

製品Sourcetree for Windows

Affected Sourcetree Versions

    • All versions of SourceTree for Windows before version 2.5.5.0

Fixed Sourcetree Versions

    • Sourcetree for Windows version 2.5.5.0 and later.
CVE IDCVE-2018-5226


脆弱性の概要

This advisory discloses a critical severity security vulnerability which affects Sourcetree for Window before 2.5.5.0 (the fixed version). 


Customers who have upgraded Sourcetree for Windows to version 2.5.5.0 and later are not affected.

Customers using Sourcetree for Mac are not affected.

Customers who have downloaded and installed Sourcetree for Windows before version 2.5.5.0


Please upgrade your Sourcetree installations to fix this vulnerability.


Argument injection via Mercurial tag names on Windows (CVE-2018-5226)

深刻度

We have rated this a critical severity vulnerability as measured by the Atlassian severity levels scale. The scale allows us to rank the severity as critical, high, moderate or low.

これはアトラシアンの評価であり、お客様自身の IT 環境への適用性を評価する必要があります。


説明

There was an argument injection vulnerability in Sourcetree for Windows via Mercurial repository tag name that is going to be deleted. An attacker with permission to create a tag on a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system.

All versions of Sourcetree for Windows before 2.5.5.0 are affected by this vulnerability. This issue can be tracked here: https://jira.atlassian.com/browse/SRCTREEWIN-8509

謝辞

Atlassian would like to credit Tianqi Zhang@Tophant for reporting this issue to us.

問題の軽減策

There is no known mitigation for this issue.

修正

弊社ではこの問題に対応するために次の対応を行いました。

  1. Released Sourcetree version 2.5.5.0 that contains a fix for this issue which can be downloaded from https://downloads.atlassian.com/software/sourcetree/windows/ga/SourceTreeSetup-2.5.5.exe and https://downloads.atlassian.com/software/sourcetree/windows/ga/SourcetreeEnterpriseSetup_2.5.5.msi.

必要なアクション

Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Sourcetree, see the release notes for Windows. You can download the latest version of Sourcetree from the Sourcetree website.


サポート

Atlassian supports SourceTree through the Atlassian Community. If you have questions or concerns regarding this advisory, go to https://community.atlassian.com/t5/SourceTree/ct-p/sourcetree.

参考

セキュリティの問題の重大度レベルアトラシアンのセキュリティ勧告には重大度レベルと CVE ID が含まれます。重大度レベルは、それぞれの脆弱性についてアトラシアンが独自に計算した CVSS スコアに基づきます。CVSS は業界標準の脆弱性メトリックです。CVSS の詳細を FIRST.org でご確認ください。
最終更新日 2018 年 7 月 9 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.