More info on the Command Injection issue?

I received an email from Atlassian relating to the Command Injection issue in SourceTree and suggesting an upgrade to the most recent version of SourceTree, as I'm sure all users did.

I am hesitant about upgrading in an Enterprise environment to the newest version for a couple reasons I will not get into here. Is there any information on what exactly the risks are if I stay on a pre-2 version? And is there any way of mitigating those risks other than upgrading?

Much appreciate any responses

1 answer

1 accepted

1 votes
Gary Sackett Atlassian Team May 10, 2017

Hi Scott,

Please see https://confluence.atlassian.com/display/SOURCETREEKB/SourceTree+Security+Advisory+2017-05-10https://nvd.nist.gov/vuln/detail/CVE-2017-8768 for more information.

Can you also tell me if you are using the Windows version, or OSX version of SourceTree?

Cheers,
Gary

Thanks for the links. I had seen the first one and found it a little vague on what exactly the possible repercussions could be, I will follow up on the latter link though.

I'm using the Windows version.

After following the links I believe I understand the seriousness of the issue. Is there any way of effectively negating the issue in affected versions, such as unlinking the installed Sourcetree from URI association?

Gary Sackett Atlassian Team May 10, 2017

Hey Scott,

Upgrading is the preferred path.  

Alternatively, you can uncheck the option "Use this version of SourceTree for UIR Association" in the Tools/Options/General Tab and remove the following registry key "HKEY_CURRENT_USER\SOFTWARE\Classes\sourcetree\shell\opencommand" - this disables the handling of the "sourcetree://" protocol.

Please note that we do not test on older versions of SourceTree.

Cheers,

Gary

Suggest an answer

Log in or Join to answer
Community showcase
Brian Ganninger
Published Jan 23, 2018 in Sourcetree

Tip from the team: workflow and keyboard shortcuts

Supported Platforms macOS Sourcetree has a lot to offer and, like many developer tools, finding and using it all can be a challenge, especially for a new user. Everyone might not love ...

253 views 0 3
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot