Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Just installing v2.0.20.1 DOES NOT seem to fix CVE-2017-8768


Per the vulnerability is in the custom URL command handler.

I had 1.9.13 installed (on Windows 10), and then installed


  • DOES NOT uninstall v1.9.x
  • DOES NOT remove or change the registry entry that defines the command handler (HKEY_CLASSES_ROOT\sourcetree)

So the dangerous custom url handler still runs, and still loads the vulnerable v1.9.x despite the installation of v2.0.20.1.  

Unless you manually uninstall 1.x, it seems that this vulnerability still exists!

I hope this is just something unusual with my setup, but I've tried un-installing and re-installing and the same issue persists,

The security warning email and page say:

"Customers who have upgraded to SourceTree for Mac version 2.5.1 or SourceTree for Windows version are not affected."

This does not appear to be true. To be true it would need to add "and have manually uninstalled all 1.x".


Some comments on the limited attempts made to notify the user:

  1. starting the very latest 1.19.x says "this is not supported".
    • "Not supported" does not mean "is vulnerable and must be uninstalled"!. This warning needs to be much stronger!
    • This version updated with this message should have removed the command handler registry entry to at least reduce the risk
  2. starting says "these old versions were found and it's recommened they be uninstalled"
    • Again, no mention of critical vulnerabilities. This should be much stronger!
    • Even if 2.0.20.x can't uninstall the old versions automatically, it can at least delete or overwrite the registry entry that defines the command handler.

Test Case

To test this for yourself:

1. Create a new html file with contents such as:

  <a href="sourcetree://vulnerability">Is this still vulnerable</a>

2. Open the html file in a browser and click the link. If SourceTree 1.9.x opens you are likely still vulnerable


I realise SourceTree is free and you are presumably under lots of pressure over the last few days, so I do want to say thanks for the hard work and I hope these issues can be resolved quickly.

I don't believe anything in this discusses security issues that are not already in the public domain (or trivially related to it).  If you disagree, please feel free to remove this comment and point me at your security contact.

1 comment

Hi Richard - this is a community forum used (mostly) by users like you and me to share knowledge, tips and ask and answer questions.

Atlassian do read and post on here, but it's not a formal way to give feedback, raise bugs or request support.

If you want to contact Atlassian directly with a bug report like this, the best way is via a support ticket at

That'll get a bug raised on

In the meantime, I will see if I can bring this to the attention of someone from Atlassian.

Thanks for taking this up Sam,

I have had response to other comments on here so I didn't realise there was somewhere else for more directly entering bugs.  I'll go and add this bug via the link you recommend.

If you have contacts with Atlassian, its probably worth suggesting that they make the location for adding bug reports more clear; both in this section, and in the emails launching this community section.  e.g. the email I received 3 days ago said:

"Get product support via the Q&A forum" (their bold)

so I hope I can be forgiven for posting in the wrong place!

That said, I do think it also has a place here as I feel it is important for other users to know the potential ongoing risk and how to protect themselves.

No problem. It seems worth flagging up.

For what it's worth, I think Atlassian would rather people came here first with most product related questions.

It's deliberately promoted as the first stop for users, partly because it filters out a lot of the trivial stuff before it goes to their support team (not that I am saying this is trivial!).

After all, me replying to you here is not costing them any money : )

Plus, there are some serious experts who post here with tons of experience in using Atlassian's products. 

I agree that they could make the route to raise a bug more obvious. In general, there's quite a an array or resources and contact points available, so I'm never surprised when it is not clear.

I hope this new community is the first step toward improving that stuff. That's partly why I put the effort in here to help.

Oh - also. This is the original bug on CVE-2017-8768, if you didn't look though already:

Could be worth a comment on there.

chhabs Atlassian Team May 11, 2017

Hi Richard, thanks for writing in and for the feedback. You're correct, manually removing older versions is required to close the security gap. We'll update our documents accordingly. Thank you for your thoughtful comments and proactive support.


Product Manager | SourceTree

PS. I'll comment on the support ticket as well. 


Log in or Sign up to comment
Community showcase
Published in Sourcetree

Tip from the team: configure your repos for hosting goodness!

Supported Platforms macOS Windows We recently introduced support for additional hosting services such as GitHub Enterprise, GitLab (Cloud, Community Edition, Enterprise Edition), and...

6,271 views 5 13
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you