CyberSec.Space Logo
Back to CVE Browser

CVE-2017-8768

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.1550%
EPSS Percentile11.48th
PublishedMay 4, 2017
Last ModifiedMay 13, 2026

Vulnerability Description

Atlassian SourceTree v2.5c and prior are affected by a command injection in the handling of the sourcetree:// scheme. It will lead to arbitrary OS command execution with a URL substring of sourcetree://cloneRepo/ext:: or sourcetree://checkoutRef/ext:: followed by the command. The Atlassian ID number is SRCTREE-4632.

Affected Platforms (CPE)

πŸ“¦
Atlassian

Sourcetree

<= 2.5c

References & Advisories

πŸ”— http://openwall.com/lists/oss-security/2017/05/03/5
πŸ”— http://seclists.org/fulldisclosure/2017/May/10
πŸ”— http://www.securityfocus.com/bid/98329
πŸ”— https://www.youtube.com/watch?v=SQ1_Ht-0Bdo
πŸ”— http://openwall.com/lists/oss-security/2017/05/03/5
πŸ”— http://seclists.org/fulldisclosure/2017/May/10
πŸ”— http://www.securityfocus.com/bid/98329
πŸ”— https://www.youtube.com/watch?v=SQ1_Ht-0Bdo

Related Vulnerabilities

CVE-2018-133859.8

There was an argument injection vulnerability in Sourcetree for macOS via filenames in Mercurial repositories. An attacker with pe...

CVE-2018-52268.8

There was an argument injection vulnerability in Sourcetree for Windows via Mercurial repository tag name that is going to be dele...

CVE-2017-145938.8

Sourcetree for Windows had several argument and command injection bugs in Mercurial and Git repository handling. An attacker with ...

CVE-2017-145928.8

Sourcetree for macOS had several argument and command injection bugs in Mercurial and Git repository handling. An attacker with pe...