Sourcetree Security Advisory 2019-03-06

関連コンテンツ

  • 関連コンテンツがありません

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

March 2019 Sourcetree Advisory - Multiple Remote Code Execution Vulnerabilities

要約

March 2019 Sourcetree Advisory - Multiple Remote Code Execution Vulnerabilities

勧告のリリース日

06 Mar 2019 10:00 AM PDT (Pacific Time, -7 hours)

製品

  • Sourcetree for macOS

  • Sourcetree for Windows

Affected Sourcetree Versions

  • Sourcetree for macOS 1.2 <= version < 3.1.1

    Affected versions: Sourcetree for macOS

    3.1.0
    3.1b1
    3.0
    3.0.1
    3.0b7
    3.0b6
    3.0b5
    3.0b4
    3.0b3
    3.0b2
    3.0b1
    2.7.6
    2.7.5
    2.7.4
    2.7.3
    2.7.2
    2.7.2b2
    2.7.1b2
    2.7.1b1
    2.4.7.0
    2.7
    2.7b3
    2.7b2
    2.7b1
    2.6.3
    2.6.2
    2.6.1
    2.6
    2.5.3
    2.5.2
    2.5.1
    2.5
    2.4.1
    2.4
    2.3.2
    2.3.1
    2.3
    2.2.4
    2.2.3
    2.2.2
    2.2.1
    2.2
    2.0.5.8
    2.0.5.7
    2.0.5.6
    2.0.5.5
    2.0.5.4
    2.0.5.2
    2.0.5
    2.0.4
    2.0.3
    2.0.2
    2.0.1
    2.1
    2.0.0
    1.9.8
    1.9.7
    1.9.5.2
    1.9.5.1
    1.9.6
    1.9.4.1
    1.9.5
    1.9.3.1
    1.9.4
    1.9.3
    1.9.2
    1.9.1
    1.8.3
    1.8.2
    1.8.0.3
    1.8.1
    1.8.0.2
    1.8.0.1
    1.9.0
    1.7.5
    1.7.4.1
    1.7.4
    1.7.3
    1.7.2
    1.7.1
    1.6.4.1
    1.6.2.2
    1.6.2.1
    1.6.3.1
    1.8.0
    1.6.2
    1.6.0
    1.6.0.1
    1.6.1
    1.6.0b3
    1.6.0b2
    1.6.0b1
    1.7.0
    1.5.7.1
    1.5.8
    1.5.7
    1.5.5.1
    1.5.6
    1.5.5
    1.5.4
    1.5.3
    1.5.2
    1.5.1
    1.5.0b1
    1.6
    1.4.4
    1.4.3
    1.4.1.1
    1.4.2
    1.4.0b1
    1.4.1
    1.3.4
    1.3.3
    1.5.0
    1.3.1.1
    1.3.0
    1.3.2
    1.3.0b3
    1.3.0b2
    1.4.0
    1.3.1
    1.3.0b1
    1.2.9.1
    1.2.9
    1.2.8.1
    1.2.8
    1.2.4
    1.2.3
    1.2.2
    1.2.1
    1.2

  • Sourcetree for Windows 0.5a <= version < 3.0.17

    Affected versions: Sourcetree for Windows

    3.0.15-beta-2612
    3.0.15
    3.0.10
    3.0.12
    3.0.9
    3.0.9-beta-2351
    3.0.6
    3.0.8
    3.0.5
    3.0.3
    3.0.0-beta-2125
    3.0.0-beta-2101
    3.0.0-beta-1983
    3.0.0-beta-1962
    3.0.0-beta-1930
    2.6.9.
    2.6.9
    2.6.9-beta-0
    2.6.7
    2.6.6
    2.6.6-beta-0
    2.6.3
    2.6.3-beta-0
    2.6.1-beta-1
    2.6.0-beta-0
    2.5.5.0
    2.4.8.0
    2.4.7.0
    2.4.4-beta-0
    2.3.5.0
    2.3.1.0
    2.2.4.0
    2.1.7.0
    2.1.6-beta-0
    2.1.5-beta-0
    2.1.2.5
    2.1.4-beta-0
    2.1.2.4
    2.1.2.3
    2.0.12-beta-1
    1.10.23.1
    1.10.22.1
    1.10.21.1
    2.0.11-beta-1
    2.0.9-beta-1
    2.0.8-beta-1
    1.10.19.1
    1.10.20.1
    1.10.18.1
    1.10.15.4
    1.10.14-beta-2
    1.9.10.0
    1.9.9.20
    1.9.6.2
    1.9.7-beta-2
    1.9.7-beta-1
    1.9.6.1
    1.9.7-beta-0
    1.9.7
    1.9.6-beta-0
    1.9.6
    1.9.5.0
    1.9.4-beta-1
    1.9.4-beta-0
    1.10.0-alpha-1
    1.9.3-beta-1
    1.9.3-beta-0
    1.9.2-beta-1
    1.9.1-beta-1
    1.9.0-beta-5
    1.8.2.11
    1.8.2.3
    1.8.2.2
    1.8.3
    1.8.2
    1.8.1
    1.8.0.36401
    1.6.25
    1.6.24
    1.6.23
    1.6.22
    1.6.21
    1.6.20
    1.6.19
    1.6.18
    1.6.17
    1.6.16
    1.6.15004
    1.6.15003
    1.6.15001
    1.6.15
    1.6.14
    1.6.13002
    1.6.13001
    1.6.12002
    1.6.13
    1.6.12001
    1.6.12
    1.6.11
    1.6.10
    1.6.9
    1.6.9003
    1.6.9002
    1.6.9001
    1.6.8
    1.6.7
    1.6.6
    1.6.5
    1.7
    1.6.3
    1.6.4
    1.6.2
    1.6.1
    1.6
    1.5.2
    1.5.1
    1.4.1
    1.5.0
    1.4.0
    1.3.3
    1.3.2
    1.3.1
    1.3.0
    1.2.4
    1.2.3
    1.2.2
    1.2.1
    1.2.0
    1.1.1
    1.0.8
    1.0.7
    1.0.6
    1.0.5
    1.0.4
    1.0.3
    1.1
    1.0.2
    1.0.1
    0.9.4
    0.9.2.3
    0.9.2.2
    0.9.3
    0.9.2.1
    0.9.2
    0.9.1.2
    0.9.1.1
    0.9.0.6b
    0.9.0.5b
    0.9.0.4b
    0.9.0.3b
    0.9.0.2b
    0.9.1
    0.9.0.1b
    0.8.5b
    0.8.4b
    0.8.3b
    0.8.2b
    0.8.1b
    1.0.0
    0.9b
    0.8b
    0.5a

Fixed Sourcetree Versions

  • Sourcetree for macOS version 3.1.1 and higher.

  • Sourcetree for Windows version 3.0.17 and higher.

CVE ID

  • CVE-2018-20234

  • CVE-2018-20235

  • CVE-2018-17456

  • CVE-2018-20236


脆弱性の概要

This advisory discloses three critical severity security vulnerabilities in Sourcetree for macOS and Sourcetree for Windows.

Versions of Sourcetree for macOS starting with 1.2 before 3.1.1, and versions of Sourcetree for Windows starting with 0.5a before 3.0.17 are affected by one or more of these vulnerabilities.

Customers who have upgraded to Sourcetree for macOS version 3.1.1 or Sourcetree for Windows version 3.0.17 are not affected.

Customers who have downloaded and installed Sourcetree for macOS before version 3.1.1 or Sourcetree for Windows before version 3.0.17 are affected.

Please upgrade your Sourcetree installations immediately to fix this vulnerability.

Mercurial hooks vulnerability - CVE-2018-20234 and CVE-2018-20235

深刻度

アトラシアンは、アトラシアンの重大度レベルで公開されているスケールに従って、この脆弱性の重大度レベルを重大として評価しています。このスケールによって、重大度を重大、高度、中度、低度として評価できます。

This is our assessment and you should evaluate how it applies to your own IT environment.

説明

Sourcetree for macOS before version 3.1.1 and Sourcetree for Windows before version 3.0.15 were vulnerable to CVE-2018-20234 and CVE-2018-20235 respectively. A remote attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS or Windows is able to exploit this issue to gain code execution on the system.

Versions of Sourcetree for macOS starting with 1.2 before version 3.1.1 are affected by this vulnerability. This issue can be tracked here:

SRCTREE-6391 - Argument Injection via Mercurial hooks in Sourcetree for macOS - CVE-2018-20234 CLOSED

Versions of Sourcetree for Windows starting with 0.5a before version 3.0.15 are affected by this vulnerability. This issue can be tracked here:

SRCTREEWIN-11289 - Argument Injection via Mercurial hooks in Sourcetree for Windows - CVE-2018-20235 CLOSED

謝辞

Credit for finding this vulnerability goes to Terry Zhang (pnig0s) at Tophant.

修正

We have taken the following steps to address this issue:

  1. Released Sourcetree for Windows version 3.0.15 that contains a fix for this issue.

  2. Released Sourcetree for macOS version 3.1.1 that contains a fix for this issue.

Git submodules vulnerability - CVE-2018-17456

深刻度

アトラシアンは、アトラシアンの重大度レベルで公開されているスケールに従って、この脆弱性の重大度レベルを重大として評価しています。このスケールによって、重大度を重大、高度、中度、低度として評価できます。

This is our assessment and you should evaluate how it applies to your own IT environment.

説明

Sourcetree for macOS before version 3.1.1 and Sourcetree for Windows before version 3.0.17 were both vulnerable to CVE-2018-17456. A remote attacker with permission to commit to a git repository linked in Sourcetree for macOS or Windows is able to exploit this issue to gain code execution on the system.

Versions of Sourcetree for macOS starting with 1.2 before version 3.1.1 are affected by this vulnerability. This issue can be tracked here:

SRCTREE-6394 - Input validation vulnerability via Git in Sourcetree for Mac - CVE-2018-17456CLOSEDVersions of Sourcetree for Windows starting with 0.5a before version 3.0.17 are affected by this vulnerability. This issue can be tracked here:

SRCTREEWIN-11292 - Input validation vulnerability via Git in Sourcetree for Windows - CVE-2018-17456 CLOSED

謝辞

Credit for finding this vulnerability goes to Terry Zhang (pnig0s) at Tophant.

修正

We have taken the following steps to address this issue:

  1. Released Sourcetree for macOS version 3.1.1 that contains a fix for this issue.

  2. Released Sourcetree for Windows version 3.0.17 that contains a fix for this issue.

URI handling vulnerability - CVE-2018-20236

深刻度

アトラシアンは、アトラシアンの重大度レベルで公開されているスケールに従って、この脆弱性の重大度レベルを重大として評価しています。このスケールによって、重大度を重大、高度、中度、低度として評価できます。

This is our assessment and you should evaluate how it applies to your own IT environment.

説明

Sourcetree for Windows before version 3.0.10 was vulnerable to CVE-2018-20236. A remote attacker able to send a URI to a Sourcetree for Windows user is able to exploit this issue to gain code execution on the system.

Versions of Sourcetree for Windows starting with 0.5a before version 3.0.10 are affected by this vulnerability. This issue can be tracked here:

SRCTREEWIN-11291 - Command Injection via URI handling in Sourcetree for Windows - CVE-2018-20236 CLOSED

謝辞

Credit for finding this vulnerability goes to Terry Zhang (pnig0s) at Tophant.

修正

We have taken the following steps to address this issue:

  1. Released Sourcetree for Windows version 3.0.10 that contains a fix for this issue.

What You Need to Do

Upgrade Sourcetree for Windows to version 3.0.17 or higher.

Upgrade Sourcetree for macOS to version 3.1.1 or higher.

Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Sourcetree for macOS, see the release notes. For a full description of the latest version of Sourcetree for Windows, see the release notes. You can download the latest version of Sourcetree from the Sourcetree website.

サポート

このアドバイザリのメールを受信していないため今後の受信を希望する場合は、https://my.atlassian.com/email にアクセスしてアラート メールにご登録ください。

このアドバイザリに関してご質問や懸念がある場合は、https://support.atlassian.com/ja/ でサポート リクエストを起票してください。

参考

セキュリティ バグ修正ポリシー

Our SLAs and guarantees for bugfixes.

セキュリティの問題の重大度レベル

アトラシアンのセキュリティ勧告には重大度レベルと CVE ID が含まれます。重大度レベルは、それぞれの脆弱性についてアトラシアンが独自に計算した CVSS スコアに基づきます。CVSS は業界標準の脆弱性メトリックです。CVSS の詳細を FIRST.org でご確認ください。

サポート終了ポリシー

Our end of life policy varies for different products. Please refer to the policy for details.

Last modified on Mar 6, 2019

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する

関連コンテンツ

  • 関連コンテンツがありません
Powered by Confluence and Scroll Viewport.