Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root


1 badge earned


Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!


Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.


Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!


Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

Just installing v2.0.20.1 DOES NOT seem to fix CVE-2017-8768


Per the vulnerability is in the custom URL command handler.

I had 1.9.13 installed (on Windows 10), and then installed


  • DOES NOT uninstall v1.9.x
  • DOES NOT remove or change the registry entry that defines the command handler (HKEY_CLASSES_ROOT\sourcetree)

So the dangerous custom url handler still runs, and still loads the vulnerable v1.9.x despite the installation of v2.0.20.1.  

Unless you manually uninstall 1.x, it seems that this vulnerability still exists!

I hope this is just something unusual with my setup, but I've tried un-installing and re-installing and the same issue persists,

The security warning email and page say:

"Customers who have upgraded to SourceTree for Mac version 2.5.1 or SourceTree for Windows version are not affected."

This does not appear to be true. To be true it would need to add "and have manually uninstalled all 1.x".


Some comments on the limited attempts made to notify the user:

  1. starting the very latest 1.19.x says "this is not supported".
    • "Not supported" does not mean "is vulnerable and must be uninstalled"!. This warning needs to be much stronger!
    • This version updated with this message should have removed the command handler registry entry to at least reduce the risk
  2. starting says "these old versions were found and it's recommened they be uninstalled"
    • Again, no mention of critical vulnerabilities. This should be much stronger!
    • Even if 2.0.20.x can't uninstall the old versions automatically, it can at least delete or overwrite the registry entry that defines the command handler.

Test Case

To test this for yourself:

1. Create a new html file with contents such as:

  <a href="sourcetree://vulnerability">Is this still vulnerable</a>

2. Open the html file in a browser and click the link. If SourceTree 1.9.x opens you are likely still vulnerable


I realise SourceTree is free and you are presumably under lots of pressure over the last few days, so I do want to say thanks for the hard work and I hope these issues can be resolved quickly.

I don't believe anything in this discusses security issues that are not already in the public domain (or trivially related to it).  If you disagree, please feel free to remove this comment and point me at your security contact.

1 comment

Sam Hall Rising Star May 11, 2017

Hi Richard - this is a community forum used (mostly) by users like you and me to share knowledge, tips and ask and answer questions.

Atlassian do read and post on here, but it's not a formal way to give feedback, raise bugs or request support.

If you want to contact Atlassian directly with a bug report like this, the best way is via a support ticket at

That'll get a bug raised on

In the meantime, I will see if I can bring this to the attention of someone from Atlassian.

Thanks for taking this up Sam,

I have had response to other comments on here so I didn't realise there was somewhere else for more directly entering bugs.  I'll go and add this bug via the link you recommend.

If you have contacts with Atlassian, its probably worth suggesting that they make the location for adding bug reports more clear; both in this section, and in the emails launching this community section.  e.g. the email I received 3 days ago said:

"Get product support via the Q&A forum" (their bold)

so I hope I can be forgiven for posting in the wrong place!

That said, I do think it also has a place here as I feel it is important for other users to know the potential ongoing risk and how to protect themselves.

No problem. It seems worth flagging up.

For what it's worth, I think Atlassian would rather people came here first with most product related questions.

It's deliberately promoted as the first stop for users, partly because it filters out a lot of the trivial stuff before it goes to their support team (not that I am saying this is trivial!).

After all, me replying to you here is not costing them any money : )

Plus, there are some serious experts who post here with tons of experience in using Atlassian's products. 

I agree that they could make the route to raise a bug more obvious. In general, there's quite a an array or resources and contact points available, so I'm never surprised when it is not clear.

I hope this new community is the first step toward improving that stuff. That's partly why I put the effort in here to help.

Sam Hall Rising Star May 11, 2017

Oh - also. This is the original bug on CVE-2017-8768, if you didn't look though already:

Could be worth a comment on there.

chhabs Atlassian Team May 11, 2017

Hi Richard, thanks for writing in and for the feedback. You're correct, manually removing older versions is required to close the security gap. We'll update our documents accordingly. Thank you for your thoughtful comments and proactive support.


Product Manager | SourceTree

PS. I'll comment on the support ticket as well. 


Log in or Sign up to comment

Atlassian Community Events