Sourcetree Security Advisory 2018-04-25
Sourcetree - Argument injection via Mercurial tag names on Windows - CVE-2018-5226
CVE-2018-5226 - Argument injection through the name of a tag for Windows
10:00 AM PDT (Pacific Time, -7 hours)
|製品||Sourcetree for Windows|
Affected Sourcetree Versions
Fixed Sourcetree Versions
This advisory discloses a critical severity security vulnerability which affects Sourcetree for Window before 126.96.36.199 (the fixed version).
Customers who have upgraded Sourcetree for Windows to version 188.8.131.52 and later are not affected.
Customers using Sourcetree for Mac are not affected.
Customers who have downloaded and installed Sourcetree for Windows before version 184.108.40.206
Please upgrade your Sourcetree installations to fix this vulnerability.
Argument injection via Mercurial tag names on Windows (CVE-2018-5226)
We have rated this a critical severity vulnerability as measured by the Atlassian severity levels scale. The scale allows us to rank the severity as critical, high, moderate or low.
これはアトラシアンの評価であり、お客様自身の IT 環境への適用性を評価する必要があります。
There was an argument injection vulnerability in Sourcetree for Windows via Mercurial repository tag name that is going to be deleted. An attacker with permission to create a tag on a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system.
All versions of Sourcetree for Windows before 220.127.116.11 are affected by this vulnerability. This issue can be tracked here: https://jira.atlassian.com/browse/SRCTREEWIN-8509
Atlassian would like to credit Tianqi Zhang@Tophant for reporting this issue to us.
There is no known mitigation for this issue.
- Released Sourcetree version 18.104.22.168 that contains a fix for this issue which can be downloaded from https://downloads.atlassian.com/software/sourcetree/windows/ga/SourceTreeSetup-2.5.5.exe and https://downloads.atlassian.com/software/sourcetree/windows/ga/SourcetreeEnterpriseSetup_2.5.5.msi.
Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Sourcetree, see the release notes for Windows. You can download the latest version of Sourcetree from the Sourcetree website.
Atlassian supports SourceTree through the Atlassian Community. If you have questions or concerns regarding this advisory, go to https://community.atlassian.com/t5/SourceTree/ct-p/sourcetree.