More info on the Command Injection issue?

Scott Robertson May 10, 2017

I received an email from Atlassian relating to the Command Injection issue in SourceTree and suggesting an upgrade to the most recent version of SourceTree, as I'm sure all users did.

I am hesitant about upgrading in an Enterprise environment to the newest version for a couple reasons I will not get into here. Is there any information on what exactly the risks are if I stay on a pre-2 version? And is there any way of mitigating those risks other than upgrading?

Much appreciate any responses

1 answer

1 accepted

1 vote
Answer accepted
Gary
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 10, 2017

Hi Scott,

Please see https://confluence.atlassian.com/display/SOURCETREEKB/SourceTree+Security+Advisory+2017-05-10https://nvd.nist.gov/vuln/detail/CVE-2017-8768 for more information.

Can you also tell me if you are using the Windows version, or OSX version of SourceTree?

Cheers,
Gary

Scott Robertson May 10, 2017

Thanks for the links. I had seen the first one and found it a little vague on what exactly the possible repercussions could be, I will follow up on the latter link though.

I'm using the Windows version.

Scott Robertson May 10, 2017

After following the links I believe I understand the seriousness of the issue. Is there any way of effectively negating the issue in affected versions, such as unlinking the installed Sourcetree from URI association?

Gary
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 10, 2017

Hey Scott,

Upgrading is the preferred path.  

Alternatively, you can uncheck the option "Use this version of SourceTree for UIR Association" in the Tools/Options/General Tab and remove the following registry key "HKEY_CURRENT_USER\SOFTWARE\Classes\sourcetree\shell\opencommand" - this disables the handling of the "sourcetree://" protocol.

Please note that we do not test on older versions of SourceTree.

Cheers,

Gary

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events