More info on the Command Injection issue?

I received an email from Atlassian relating to the Command Injection issue in SourceTree and suggesting an upgrade to the most recent version of SourceTree, as I'm sure all users did.

I am hesitant about upgrading in an Enterprise environment to the newest version for a couple reasons I will not get into here. Is there any information on what exactly the risks are if I stay on a pre-2 version? And is there any way of mitigating those risks other than upgrading?

Much appreciate any responses

1 answer

1 accepted

This widget could not be displayed.
Gary Sackett Atlassian Team May 10, 2017

Hi Scott,

Please see https://confluence.atlassian.com/display/SOURCETREEKB/SourceTree+Security+Advisory+2017-05-10https://nvd.nist.gov/vuln/detail/CVE-2017-8768 for more information.

Can you also tell me if you are using the Windows version, or OSX version of SourceTree?

Cheers,
Gary

Thanks for the links. I had seen the first one and found it a little vague on what exactly the possible repercussions could be, I will follow up on the latter link though.

I'm using the Windows version.

After following the links I believe I understand the seriousness of the issue. Is there any way of effectively negating the issue in affected versions, such as unlinking the installed Sourcetree from URI association?

Gary Sackett Atlassian Team May 10, 2017

Hey Scott,

Upgrading is the preferred path.  

Alternatively, you can uncheck the option "Use this version of SourceTree for UIR Association" in the Tools/Options/General Tab and remove the following registry key "HKEY_CURRENT_USER\SOFTWARE\Classes\sourcetree\shell\opencommand" - this disables the handling of the "sourcetree://" protocol.

Please note that we do not test on older versions of SourceTree.

Cheers,

Gary

Suggest an answer

Log in or Sign up to answer
Community showcase
Published May 30, 2018 in Sourcetree

Tip from the team: configuring Git or Mercurial in Sourcetree

Supported Platforms macOS Windows To make using Sourcetree as simple yet powerful as possible we embed (bundle) dependencies such as Git, Git LFS, and Mercurial. We strive to keep these...

862 views 2 3
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you