CVE-2017-8768

Name of the Vulnerable Software and Affected Versions Atlassian SourceTree versions 2.5c and prior

Description The issue exists due to a lack of neutralization of special elements used in operating system commands. Exploitation may allow a remote attacker to execute arbitrary commands by manipulating the URL, specifically using the sourcetree://cloneRepo/ext:: or sourcetree://checkoutRef/ext:: URL substrings followed by the command.

Recommendations For Atlassian SourceTree versions 2.5c and prior, consider disabling the handling of the sourcetree:// scheme until a patch is available. Restrict access to the cloneRepo and checkoutRef functions to minimize the risk of exploitation. Avoid using the sourcetree://cloneRepo/ext:: and sourcetree://checkoutRef/ext:: URL substrings in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.