Is the SourceTree Mac app susceptible to the recently exposed Sparkle vulnerability?

I was surprised to not find any reference to this issue on the support site.

4 answers

1 accepted

1 vote
Answer accepted

I was browsing other questions to find the ID of an Atlassian staff member, and found this question:

Which referenced this bug:

That does address the issue and the fix has been included in version 2.2 released today.



I upgraded to latest version 2.2. But still I am seeing that http protocol is being used for the AppCast xml .So I believe its still susceptable to MIMA.

I found this in a comment online:

Here's how to list all apps that use Sparkle on your system, and what version they are using:

find /Applications -path '*' -exec echo {} \; -exec grep -A1 CFBundleShortVersionString '{}' \; | grep -v CFBundleShortVersionString

You're looking for versions prior to 1.13.1 (as per These are vulnerable if they are set to load any assets over unsecured HTTP. Perhaps someone else can chine in on where those URLs can be found.

IF SourceTree doesn't use Sparkle, I'm not sure why they'd be expected to comment about it. To be fair, I don't use a Mac, so I can't check this myself. Maybe they do use Sparkle and should be more on top of the issue, idk.

I haven't looked into why that command doesn't pick it up but SourceTree looks to me to be using it. I have the latest version (2.1) installed and the value of CFBundleShortVersionString in the following file is 1.8.0:



0 votes
Der Lun Ooi Atlassian Team Feb 13, 2016

HTTP protocol works the same irregardless of which operating system you are using so short answer is yes you are vulnerable to man in the middle attack until you have upgraded to the fixed version that does not contain this vulnerability.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Oct 23, 2018 in Sourcetree

Tip from the team: configure your repos for hosting goodness!

Supported Platforms macOS Windows We recently introduced support for additional hosting services such as GitHub Enterprise, GitLab (Cloud, Community Edition, Enterprise Edition), and...

1,205 views 4 2
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you