Search

Find a vulnerability

Search criteria

    16 vulnerabilities found for Sourcetree for Windows by Atlassian

    CVE-2023-22514 (GCVE-0-2023-22514)

    Vulnerability from cvelistv5 – Published: 2025-03-18 17:03 – Updated: 2025-05-12 15:40
    VLAI
    Summary
    This High severity RCE (Remote Code Execution) vulnerability was introduced in version 3.4.14 of Sourcetree for Mac and Sourcetree for Windows. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.8, and a CVSS Vector of: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H which allows an unauthenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction. Atlassian recommends that Sourcetree for Mac and Sourcetree for Windows customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Sourcetree for Mac and Sourcetree for Windows 3.4: Upgrade to a release greater than or equal to 3.4.15 See the release notes (https://www.sourcetreeapp.com/download-archives). You can download the latest version of Sourcetree for Mac and Sourcetree for Windows from the download center (https://www.sourcetreeapp.com/download-archives). This vulnerability was reported via our Penetration Testing program.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • RCE (Remote Code Execution)
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Atlassian Sourcetree for Mac Unaffected: < 3.4.14
    Affected: >= 3.4.14
    Unaffected: >= 3.4.15
    Create a notification for this product.
    Atlassian Sourcetree for Windows Unaffected: < 3.4.14
    Affected: >= 3.4.14
    Unaffected: >= 3.4.15
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-22514",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-12T15:40:08.894218Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-94",
                    "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-12T15:40:34.777Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Sourcetree for Mac",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "\u003c 3.4.14"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.4.14"
                },
                {
                  "status": "unaffected",
                  "version": "\u003e= 3.4.15"
                }
              ]
            },
            {
              "product": "Sourcetree for Windows",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "\u003c 3.4.14"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.4.14"
                },
                {
                  "status": "unaffected",
                  "version": "\u003e= 3.4.15"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "This High severity RCE (Remote Code Execution) vulnerability was introduced in version 3.4.14 of Sourcetree for Mac and Sourcetree for Windows. \r\n\t\r\n\tThis RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.8, and a CVSS Vector of: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H which allows an unauthenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction. \r\n\t\r\n\tAtlassian recommends that Sourcetree for Mac and Sourcetree for Windows customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\r\n\t\t\r\n\t\tSourcetree for Mac and Sourcetree for Windows 3.4: Upgrade to a release greater than or equal to 3.4.15\r\n\t\t\r\n\t\t\r\n\t\r\n\tSee the release notes (https://www.sourcetreeapp.com/download-archives). You can download the latest version of Sourcetree for Mac and Sourcetree for Windows from the download center (https://www.sourcetreeapp.com/download-archives). \r\n\t\r\n\tThis vulnerability was reported via our Penetration Testing program."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "RCE (Remote Code Execution)",
                  "lang": "en",
                  "type": "RCE (Remote Code Execution)"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-18T17:03:59.441Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1299929380"
            },
            {
              "url": "https://jira.atlassian.com/browse/SRCTREE-8076"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2023-22514",
        "datePublished": "2025-03-18T17:03:59.441Z",
        "dateReserved": "2023-01-01T00:01:22.330Z",
        "dateUpdated": "2025-05-12T15:40:34.777Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-21697 (GCVE-0-2024-21697)

    Vulnerability from cvelistv5 – Published: 2024-11-19 19:00 – Updated: 2024-11-25 14:04
    VLAI
    Summary
    This High severity RCE (Remote Code Execution) vulnerability was introduced in versions 4.2.8 of Sourcetree for Mac and 3.4.19 for Sourcetree for Windows. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.8, allows an unauthenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction. Atlassian recommends that Sourcetree for Mac and Sourcetree for Windows customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Sourcetree for Mac 4.2: Upgrade to a release greater than or equal to 4.2.9 Sourcetree for Windows 3.4: Upgrade to a release greater than or equal to 3.4.20 See the release notes ([https://www.sourcetreeapp.com/download-archives]). You can download the latest version of Sourcetree for Mac and Sourcetree for Windows from the download center ([https://www.sourcetreeapp.com/download-archives]). This vulnerability was reported via our Penetration Testing program.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Atlassian Sourcetree for Mac Affected: All versions from 4.2.8 to 4.2.8
    Unaffected: All versions from 4.2.9
    Create a notification for this product.
    Atlassian Sourcetree for Windows Affected: All versions from 3.4.19 to 3.4.19
    Unaffected: All versions from 3.4.20
    Create a notification for this product.
    atlassian sourcetree Affected: 4.2.8 , < 4.2.9 (custom)
        cpe:2.3:a:atlassian:sourcetree:*:*:*:*:*:macos:*:*
    Create a notification for this product.
    atlassian sourcetree Affected: 3.4.19 , < 3.4.20 (custom)
        cpe:2.3:a:atlassian:sourcetree:*:*:*:*:*:windows:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:sourcetree:*:*:*:*:*:macos:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sourcetree",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "4.2.9",
                    "status": "affected",
                    "version": "4.2.8",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:sourcetree:*:*:*:*:*:windows:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sourcetree",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "3.4.20",
                    "status": "affected",
                    "version": "3.4.19",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-21697",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-23T04:55:49.200583Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "description": "CWE-noinfo Not enough information",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-25T14:04:49.167Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Sourcetree for Mac",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "affected",
                  "version": "All versions from 4.2.8 to 4.2.8"
                },
                {
                  "status": "unaffected",
                  "version": "All versions from 4.2.9"
                }
              ]
            },
            {
              "product": "Sourcetree for Windows",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "affected",
                  "version": "All versions from 3.4.19 to 3.4.19"
                },
                {
                  "status": "unaffected",
                  "version": "All versions from 3.4.20"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "This High severity RCE (Remote Code Execution) vulnerability was introduced in versions 4.2.8 of Sourcetree for Mac and 3.4.19 for Sourcetree for Windows.\r\n\r\nThis RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.8, allows an unauthenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction.\r\n\r\nAtlassian recommends that Sourcetree for Mac and Sourcetree for Windows customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\r\n Sourcetree for Mac 4.2: Upgrade to a release greater than or equal to 4.2.9\r\n Sourcetree for Windows 3.4: Upgrade to a release greater than or equal to 3.4.20\r\n\r\nSee the release notes ([https://www.sourcetreeapp.com/download-archives]). You can download the latest version of Sourcetree for Mac and Sourcetree for Windows from the download center ([https://www.sourcetreeapp.com/download-archives]).\r\n\r\nThis vulnerability was reported via our Penetration Testing program."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "RCE (Remote Code Execution)",
                  "lang": "en",
                  "type": "RCE (Remote Code Execution)"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-19T19:00:00.635Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1456179091"
            },
            {
              "url": "https://jira.atlassian.com/browse/SRCTREE-8168"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2024-21697",
        "datePublished": "2024-11-19T19:00:00.635Z",
        "dateReserved": "2024-01-01T00:05:33.848Z",
        "dateUpdated": "2024-11-25T14:04:49.167Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-11582 (GCVE-0-2019-11582)

    Vulnerability from cvelistv5 – Published: 2019-06-14 13:54 – Updated: 2024-09-16 19:25
    VLAI
    Summary
    An argument injection vulnerability in Atlassian Sourcetree for Windows's URI handlers, in all versions prior to 3.1.3, allows remote attackers to gain remote code execution through the use of a crafted URI.
    Severity
    No CVSS data available.
    CWE
    • Argument Injection
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Sourcetree for Windows Affected: 0.5a , < unspecified (custom)
    Affected: unspecified , < 3.1.3 (custom)
    Create a notification for this product.
    Date Public
    2019-06-05 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T22:55:41.048Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/SRCTREEWIN-11917"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Sourcetree for Windows",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "0.5a",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.1.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2019-06-05T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "An argument injection vulnerability in Atlassian Sourcetree for Windows\u0027s URI handlers, in all versions prior to 3.1.3, allows remote attackers to gain remote code execution through the use of a crafted URI."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Argument Injection",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-06-14T13:54:38.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/SRCTREEWIN-11917"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2019-06-05T17:00:00",
              "ID": "CVE-2019-11582",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Sourcetree for Windows",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "0.5a"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "3.1.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An argument injection vulnerability in Atlassian Sourcetree for Windows\u0027s URI handlers, in all versions prior to 3.1.3, allows remote attackers to gain remote code execution through the use of a crafted URI."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Argument Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/SRCTREEWIN-11917",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/SRCTREEWIN-11917"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2019-11582",
        "datePublished": "2019-06-14T13:54:38.881Z",
        "dateReserved": "2019-04-29T00:00:00.000Z",
        "dateUpdated": "2024-09-16T19:25:35.218Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-20236 (GCVE-0-2018-20236)

    Vulnerability from cvelistv5 – Published: 2019-03-08 18:00 – Updated: 2024-09-16 19:10
    VLAI
    Summary
    There was an command injection vulnerability in Sourcetree for Windows from version 0.5a before version 3.0.10 via URI handling. A remote attacker could send a malicious URI to a victim using Sourcetree for Windows to exploit this issue to gain code execution on the system.
    Severity
    No CVSS data available.
    CWE
    • Command Injection
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Sourcetree for Windows Affected: 0.5a , < unspecified (custom)
    Affected: unspecified , < 3.0.10 (custom)
    Create a notification for this product.
    Date Public
    2019-03-06 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T11:58:19.094Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "107401",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/107401"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/SRCTREEWIN-11291"
              },
              {
                "name": "20190320 March 2019 Sourcetree Advisory - Multiple Remote Code Execution Vulnerabilities",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Mar/30"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Sourcetree for Windows",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "0.5a",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.0.10",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2019-03-06T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "There was an command injection vulnerability in Sourcetree for Windows from version 0.5a before version 3.0.10 via URI handling. A remote attacker could send a malicious URI to a victim using Sourcetree for Windows to exploit this issue to gain code execution on the system."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Command Injection",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-03-21T15:06:05.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "name": "107401",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/107401"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://jira.atlassian.com/browse/SRCTREEWIN-11291"
            },
            {
              "name": "20190320 March 2019 Sourcetree Advisory - Multiple Remote Code Execution Vulnerabilities",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Mar/30"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2019-03-06T00:00:00",
              "ID": "CVE-2018-20236",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Sourcetree for Windows",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "0.5a"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "3.0.10"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "There was an command injection vulnerability in Sourcetree for Windows from version 0.5a before version 3.0.10 via URI handling. A remote attacker could send a malicious URI to a victim using Sourcetree for Windows to exploit this issue to gain code execution on the system."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Command Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "107401",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/107401"
                },
                {
                  "name": "https://jira.atlassian.com/browse/SRCTREEWIN-11291",
                  "refsource": "CONFIRM",
                  "url": "https://jira.atlassian.com/browse/SRCTREEWIN-11291"
                },
                {
                  "name": "20190320 March 2019 Sourcetree Advisory - Multiple Remote Code Execution Vulnerabilities",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Mar/30"
                },
                {
                  "name": "http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html",
                  "refsource": "MISC",
                  "url": "http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2018-20236",
        "datePublished": "2019-03-08T18:00:00.000Z",
        "dateReserved": "2018-12-19T00:00:00.000Z",
        "dateUpdated": "2024-09-16T19:10:38.203Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-20235 (GCVE-0-2018-20235)

    Vulnerability from cvelistv5 – Published: 2019-03-08 18:00 – Updated: 2024-09-16 23:56
    VLAI
    Summary
    There was an argument injection vulnerability in Atlassian Sourcetree for Windows from version 0.5a before version 3.0.15 via filenames in Mercurial repositories. A remote attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system.
    Severity
    No CVSS data available.
    CWE
    • Argument Injection
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Sourcetree for Windows Affected: 0.5a , < unspecified (custom)
    Affected: unspecified , < 3.0.15 (custom)
    Create a notification for this product.
    Date Public
    2019-03-06 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T11:58:18.789Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/SRCTREEWIN-11289"
              },
              {
                "name": "107407",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/107407"
              },
              {
                "name": "20190320 March 2019 Sourcetree Advisory - Multiple Remote Code Execution Vulnerabilities",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Mar/30"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Sourcetree for Windows",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "0.5a",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.0.15",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2019-03-06T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "There was an argument injection vulnerability in Atlassian Sourcetree for Windows from version 0.5a before version 3.0.15 via filenames in Mercurial repositories. A remote attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Argument Injection",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-03-21T15:06:05.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://jira.atlassian.com/browse/SRCTREEWIN-11289"
            },
            {
              "name": "107407",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/107407"
            },
            {
              "name": "20190320 March 2019 Sourcetree Advisory - Multiple Remote Code Execution Vulnerabilities",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Mar/30"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2019-03-06T00:00:00",
              "ID": "CVE-2018-20235",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Sourcetree for Windows",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "0.5a"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "3.0.15"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "There was an argument injection vulnerability in Atlassian Sourcetree for Windows from version 0.5a before version 3.0.15 via filenames in Mercurial repositories. A remote attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Argument Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/SRCTREEWIN-11289",
                  "refsource": "CONFIRM",
                  "url": "https://jira.atlassian.com/browse/SRCTREEWIN-11289"
                },
                {
                  "name": "107407",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/107407"
                },
                {
                  "name": "20190320 March 2019 Sourcetree Advisory - Multiple Remote Code Execution Vulnerabilities",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Mar/30"
                },
                {
                  "name": "http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html",
                  "refsource": "MISC",
                  "url": "http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2018-20235",
        "datePublished": "2019-03-08T18:00:00.000Z",
        "dateReserved": "2018-12-19T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:56:51.778Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-13397 (GCVE-0-2018-13397)

    Vulnerability from cvelistv5 – Published: 2018-11-05 22:00 – Updated: 2024-09-16 23:11
    VLAI
    Summary
    There was an argument injection vulnerability in Sourcetree for Windows from version 0.5.1.0 before version 3.0.0 via Git subrepositories in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system.
    Severity
    No CVSS data available.
    CWE
    • Argument Injection
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Sourcetree for Windows Affected: 0.5.1.0 , < unspecified (custom)
    Affected: unspecified , < 3.0.0 (custom)
    Create a notification for this product.
    Date Public
    2018-10-31 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T09:00:35.170Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/SRCTREEWIN-9077"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Sourcetree for Windows",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "0.5.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.0.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2018-10-31T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "There was an argument injection vulnerability in Sourcetree for Windows from version 0.5.1.0 before version 3.0.0 via Git subrepositories in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Argument Injection",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-11-05T21:57:02.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://jira.atlassian.com/browse/SRCTREEWIN-9077"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2018-10-31T00:00:00",
              "ID": "CVE-2018-13397",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Sourcetree for Windows",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "0.5.1.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "3.0.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "There was an argument injection vulnerability in Sourcetree for Windows from version 0.5.1.0 before version 3.0.0 via Git subrepositories in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Argument Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/SRCTREEWIN-9077",
                  "refsource": "CONFIRM",
                  "url": "https://jira.atlassian.com/browse/SRCTREEWIN-9077"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2018-13397",
        "datePublished": "2018-11-05T22:00:00.000Z",
        "dateReserved": "2018-07-06T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:11:19.581Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-13386 (GCVE-0-2018-13386)

    Vulnerability from cvelistv5 – Published: 2018-07-24 13:00 – Updated: 2024-09-16 23:56
    VLAI
    Summary
    There was an argument injection vulnerability in Sourcetree for Windows via filenames in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. Versions of Sourcetree for Windows before version 2.6.9 are affected by this vulnerability.
    Severity
    No CVSS data available.
    CWE
    • Argument Injection
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Sourcetree for Windows Affected: unspecified , < 2.6.9 (custom)
    Create a notification for this product.
    Date Public
    2018-07-18 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T09:00:35.135Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/SRCTREEWIN-8884"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Sourcetree for Windows",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "2.6.9",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2018-07-18T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "There was an argument injection vulnerability in Sourcetree for Windows via filenames in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. Versions of Sourcetree for Windows before version 2.6.9 are affected by this vulnerability."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Argument Injection",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-07-24T12:57:01.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://jira.atlassian.com/browse/SRCTREEWIN-8884"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2018-07-18T00:00:00",
              "ID": "CVE-2018-13386",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Sourcetree for Windows",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "2.6.9"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "There was an argument injection vulnerability in Sourcetree for Windows via filenames in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. Versions of Sourcetree for Windows before version 2.6.9 are affected by this vulnerability."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Argument Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/SRCTREEWIN-8884",
                  "refsource": "CONFIRM",
                  "url": "https://jira.atlassian.com/browse/SRCTREEWIN-8884"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2018-13386",
        "datePublished": "2018-07-24T13:00:00.000Z",
        "dateReserved": "2018-07-06T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:56:52.701Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-14593 (GCVE-0-2017-14593)

    Vulnerability from cvelistv5 – Published: 2018-01-26 02:00 – Updated: 2024-09-17 01:56
    VLAI
    Summary
    Sourcetree for Windows had several argument and command injection bugs in Mercurial and Git repository handling. An attacker with permission to commit to a repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. From version 0.8.4b of Sourcetree for Windows, this vulnerability can be triggered from a webpage through the use of the Sourcetree URI handler. Versions of Sourcetree for Windows starting with 0.5.1.0 before version 2.4.7.0 are affected by this vulnerability
    Severity
    No CVSS data available.
    CWE
    • OS Command Injection
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Sourcetree for Windows Affected: Versions starting with 0.5.1.0 before version 2.4.7.0
    Create a notification for this product.
    Date Public
    2018-01-24 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T19:34:38.637Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "102926",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/102926"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/SRCTREEWIN-8256"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Sourcetree for Windows",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "affected",
                  "version": "Versions starting with 0.5.1.0 before version 2.4.7.0"
                }
              ]
            }
          ],
          "datePublic": "2018-01-24T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Sourcetree for Windows had several argument and command injection bugs in Mercurial and Git repository handling. An attacker with permission to commit to a repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. From version 0.8.4b of Sourcetree for Windows, this vulnerability can be triggered from a webpage through the use of the Sourcetree URI handler. Versions of Sourcetree for Windows starting with 0.5.1.0 before version 2.4.7.0 are affected by this vulnerability"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "OS Command Injection",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-02-07T10:57:01.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "name": "102926",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/102926"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://jira.atlassian.com/browse/SRCTREEWIN-8256"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2018-01-24T00:00:00",
              "ID": "CVE-2017-14593",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Sourcetree for Windows",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Versions starting with 0.5.1.0 before version 2.4.7.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Sourcetree for Windows had several argument and command injection bugs in Mercurial and Git repository handling. An attacker with permission to commit to a repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. From version 0.8.4b of Sourcetree for Windows, this vulnerability can be triggered from a webpage through the use of the Sourcetree URI handler. Versions of Sourcetree for Windows starting with 0.5.1.0 before version 2.4.7.0 are affected by this vulnerability"
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "OS Command Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "102926",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/102926"
                },
                {
                  "name": "https://jira.atlassian.com/browse/SRCTREEWIN-8256",
                  "refsource": "CONFIRM",
                  "url": "https://jira.atlassian.com/browse/SRCTREEWIN-8256"
                },
                {
                  "name": "https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html",
                  "refsource": "CONFIRM",
                  "url": "https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2017-14593",
        "datePublished": "2018-01-26T02:00:00.000Z",
        "dateReserved": "2017-09-19T00:00:00.000Z",
        "dateUpdated": "2024-09-17T01:56:19.487Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-21697 (GCVE-0-2024-21697)

    Vulnerability from nvd – Published: 2024-11-19 19:00 – Updated: 2024-11-25 14:04
    VLAI
    Summary
    This High severity RCE (Remote Code Execution) vulnerability was introduced in versions 4.2.8 of Sourcetree for Mac and 3.4.19 for Sourcetree for Windows. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.8, allows an unauthenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction. Atlassian recommends that Sourcetree for Mac and Sourcetree for Windows customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Sourcetree for Mac 4.2: Upgrade to a release greater than or equal to 4.2.9 Sourcetree for Windows 3.4: Upgrade to a release greater than or equal to 3.4.20 See the release notes ([https://www.sourcetreeapp.com/download-archives]). You can download the latest version of Sourcetree for Mac and Sourcetree for Windows from the download center ([https://www.sourcetreeapp.com/download-archives]). This vulnerability was reported via our Penetration Testing program.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Atlassian Sourcetree for Mac Affected: All versions from 4.2.8 to 4.2.8
    Unaffected: All versions from 4.2.9
    Create a notification for this product.
    Atlassian Sourcetree for Windows Affected: All versions from 3.4.19 to 3.4.19
    Unaffected: All versions from 3.4.20
    Create a notification for this product.
    atlassian sourcetree Affected: 4.2.8 , < 4.2.9 (custom)
        cpe:2.3:a:atlassian:sourcetree:*:*:*:*:*:macos:*:*
    Create a notification for this product.
    atlassian sourcetree Affected: 3.4.19 , < 3.4.20 (custom)
        cpe:2.3:a:atlassian:sourcetree:*:*:*:*:*:windows:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:sourcetree:*:*:*:*:*:macos:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sourcetree",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "4.2.9",
                    "status": "affected",
                    "version": "4.2.8",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:sourcetree:*:*:*:*:*:windows:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sourcetree",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "3.4.20",
                    "status": "affected",
                    "version": "3.4.19",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-21697",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-23T04:55:49.200583Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "description": "CWE-noinfo Not enough information",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-25T14:04:49.167Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Sourcetree for Mac",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "affected",
                  "version": "All versions from 4.2.8 to 4.2.8"
                },
                {
                  "status": "unaffected",
                  "version": "All versions from 4.2.9"
                }
              ]
            },
            {
              "product": "Sourcetree for Windows",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "affected",
                  "version": "All versions from 3.4.19 to 3.4.19"
                },
                {
                  "status": "unaffected",
                  "version": "All versions from 3.4.20"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "This High severity RCE (Remote Code Execution) vulnerability was introduced in versions 4.2.8 of Sourcetree for Mac and 3.4.19 for Sourcetree for Windows.\r\n\r\nThis RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.8, allows an unauthenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction.\r\n\r\nAtlassian recommends that Sourcetree for Mac and Sourcetree for Windows customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\r\n Sourcetree for Mac 4.2: Upgrade to a release greater than or equal to 4.2.9\r\n Sourcetree for Windows 3.4: Upgrade to a release greater than or equal to 3.4.20\r\n\r\nSee the release notes ([https://www.sourcetreeapp.com/download-archives]). You can download the latest version of Sourcetree for Mac and Sourcetree for Windows from the download center ([https://www.sourcetreeapp.com/download-archives]).\r\n\r\nThis vulnerability was reported via our Penetration Testing program."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "RCE (Remote Code Execution)",
                  "lang": "en",
                  "type": "RCE (Remote Code Execution)"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-19T19:00:00.635Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1456179091"
            },
            {
              "url": "https://jira.atlassian.com/browse/SRCTREE-8168"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2024-21697",
        "datePublished": "2024-11-19T19:00:00.635Z",
        "dateReserved": "2024-01-01T00:05:33.848Z",
        "dateUpdated": "2024-11-25T14:04:49.167Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-22514 (GCVE-0-2023-22514)

    Vulnerability from nvd – Published: 2025-03-18 17:03 – Updated: 2025-05-12 15:40
    VLAI
    Summary
    This High severity RCE (Remote Code Execution) vulnerability was introduced in version 3.4.14 of Sourcetree for Mac and Sourcetree for Windows. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.8, and a CVSS Vector of: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H which allows an unauthenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction. Atlassian recommends that Sourcetree for Mac and Sourcetree for Windows customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Sourcetree for Mac and Sourcetree for Windows 3.4: Upgrade to a release greater than or equal to 3.4.15 See the release notes (https://www.sourcetreeapp.com/download-archives). You can download the latest version of Sourcetree for Mac and Sourcetree for Windows from the download center (https://www.sourcetreeapp.com/download-archives). This vulnerability was reported via our Penetration Testing program.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • RCE (Remote Code Execution)
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Atlassian Sourcetree for Mac Unaffected: < 3.4.14
    Affected: >= 3.4.14
    Unaffected: >= 3.4.15
    Create a notification for this product.
    Atlassian Sourcetree for Windows Unaffected: < 3.4.14
    Affected: >= 3.4.14
    Unaffected: >= 3.4.15
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-22514",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-12T15:40:08.894218Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-94",
                    "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-12T15:40:34.777Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Sourcetree for Mac",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "\u003c 3.4.14"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.4.14"
                },
                {
                  "status": "unaffected",
                  "version": "\u003e= 3.4.15"
                }
              ]
            },
            {
              "product": "Sourcetree for Windows",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "\u003c 3.4.14"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.4.14"
                },
                {
                  "status": "unaffected",
                  "version": "\u003e= 3.4.15"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "This High severity RCE (Remote Code Execution) vulnerability was introduced in version 3.4.14 of Sourcetree for Mac and Sourcetree for Windows. \r\n\t\r\n\tThis RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.8, and a CVSS Vector of: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H which allows an unauthenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction. \r\n\t\r\n\tAtlassian recommends that Sourcetree for Mac and Sourcetree for Windows customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\r\n\t\t\r\n\t\tSourcetree for Mac and Sourcetree for Windows 3.4: Upgrade to a release greater than or equal to 3.4.15\r\n\t\t\r\n\t\t\r\n\t\r\n\tSee the release notes (https://www.sourcetreeapp.com/download-archives). You can download the latest version of Sourcetree for Mac and Sourcetree for Windows from the download center (https://www.sourcetreeapp.com/download-archives). \r\n\t\r\n\tThis vulnerability was reported via our Penetration Testing program."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "RCE (Remote Code Execution)",
                  "lang": "en",
                  "type": "RCE (Remote Code Execution)"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-18T17:03:59.441Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1299929380"
            },
            {
              "url": "https://jira.atlassian.com/browse/SRCTREE-8076"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2023-22514",
        "datePublished": "2025-03-18T17:03:59.441Z",
        "dateReserved": "2023-01-01T00:01:22.330Z",
        "dateUpdated": "2025-05-12T15:40:34.777Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-11582 (GCVE-0-2019-11582)

    Vulnerability from nvd – Published: 2019-06-14 13:54 – Updated: 2024-09-16 19:25
    VLAI
    Summary
    An argument injection vulnerability in Atlassian Sourcetree for Windows's URI handlers, in all versions prior to 3.1.3, allows remote attackers to gain remote code execution through the use of a crafted URI.
    Severity
    No CVSS data available.
    CWE
    • Argument Injection
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Sourcetree for Windows Affected: 0.5a , < unspecified (custom)
    Affected: unspecified , < 3.1.3 (custom)
    Create a notification for this product.
    Date Public
    2019-06-05 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T22:55:41.048Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/SRCTREEWIN-11917"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Sourcetree for Windows",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "0.5a",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.1.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2019-06-05T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "An argument injection vulnerability in Atlassian Sourcetree for Windows\u0027s URI handlers, in all versions prior to 3.1.3, allows remote attackers to gain remote code execution through the use of a crafted URI."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Argument Injection",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-06-14T13:54:38.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/SRCTREEWIN-11917"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2019-06-05T17:00:00",
              "ID": "CVE-2019-11582",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Sourcetree for Windows",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "0.5a"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "3.1.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An argument injection vulnerability in Atlassian Sourcetree for Windows\u0027s URI handlers, in all versions prior to 3.1.3, allows remote attackers to gain remote code execution through the use of a crafted URI."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Argument Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/SRCTREEWIN-11917",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/SRCTREEWIN-11917"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2019-11582",
        "datePublished": "2019-06-14T13:54:38.881Z",
        "dateReserved": "2019-04-29T00:00:00.000Z",
        "dateUpdated": "2024-09-16T19:25:35.218Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-20236 (GCVE-0-2018-20236)

    Vulnerability from nvd – Published: 2019-03-08 18:00 – Updated: 2024-09-16 19:10
    VLAI
    Summary
    There was an command injection vulnerability in Sourcetree for Windows from version 0.5a before version 3.0.10 via URI handling. A remote attacker could send a malicious URI to a victim using Sourcetree for Windows to exploit this issue to gain code execution on the system.
    Severity
    No CVSS data available.
    CWE
    • Command Injection
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Sourcetree for Windows Affected: 0.5a , < unspecified (custom)
    Affected: unspecified , < 3.0.10 (custom)
    Create a notification for this product.
    Date Public
    2019-03-06 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T11:58:19.094Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "107401",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/107401"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/SRCTREEWIN-11291"
              },
              {
                "name": "20190320 March 2019 Sourcetree Advisory - Multiple Remote Code Execution Vulnerabilities",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Mar/30"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Sourcetree for Windows",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "0.5a",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.0.10",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2019-03-06T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "There was an command injection vulnerability in Sourcetree for Windows from version 0.5a before version 3.0.10 via URI handling. A remote attacker could send a malicious URI to a victim using Sourcetree for Windows to exploit this issue to gain code execution on the system."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Command Injection",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-03-21T15:06:05.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "name": "107401",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/107401"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://jira.atlassian.com/browse/SRCTREEWIN-11291"
            },
            {
              "name": "20190320 March 2019 Sourcetree Advisory - Multiple Remote Code Execution Vulnerabilities",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Mar/30"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2019-03-06T00:00:00",
              "ID": "CVE-2018-20236",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Sourcetree for Windows",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "0.5a"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "3.0.10"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "There was an command injection vulnerability in Sourcetree for Windows from version 0.5a before version 3.0.10 via URI handling. A remote attacker could send a malicious URI to a victim using Sourcetree for Windows to exploit this issue to gain code execution on the system."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Command Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "107401",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/107401"
                },
                {
                  "name": "https://jira.atlassian.com/browse/SRCTREEWIN-11291",
                  "refsource": "CONFIRM",
                  "url": "https://jira.atlassian.com/browse/SRCTREEWIN-11291"
                },
                {
                  "name": "20190320 March 2019 Sourcetree Advisory - Multiple Remote Code Execution Vulnerabilities",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Mar/30"
                },
                {
                  "name": "http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html",
                  "refsource": "MISC",
                  "url": "http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2018-20236",
        "datePublished": "2019-03-08T18:00:00.000Z",
        "dateReserved": "2018-12-19T00:00:00.000Z",
        "dateUpdated": "2024-09-16T19:10:38.203Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-20235 (GCVE-0-2018-20235)

    Vulnerability from nvd – Published: 2019-03-08 18:00 – Updated: 2024-09-16 23:56
    VLAI
    Summary
    There was an argument injection vulnerability in Atlassian Sourcetree for Windows from version 0.5a before version 3.0.15 via filenames in Mercurial repositories. A remote attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system.
    Severity
    No CVSS data available.
    CWE
    • Argument Injection
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Sourcetree for Windows Affected: 0.5a , < unspecified (custom)
    Affected: unspecified , < 3.0.15 (custom)
    Create a notification for this product.
    Date Public
    2019-03-06 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T11:58:18.789Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/SRCTREEWIN-11289"
              },
              {
                "name": "107407",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/107407"
              },
              {
                "name": "20190320 March 2019 Sourcetree Advisory - Multiple Remote Code Execution Vulnerabilities",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Mar/30"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Sourcetree for Windows",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "0.5a",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.0.15",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2019-03-06T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "There was an argument injection vulnerability in Atlassian Sourcetree for Windows from version 0.5a before version 3.0.15 via filenames in Mercurial repositories. A remote attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Argument Injection",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-03-21T15:06:05.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://jira.atlassian.com/browse/SRCTREEWIN-11289"
            },
            {
              "name": "107407",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/107407"
            },
            {
              "name": "20190320 March 2019 Sourcetree Advisory - Multiple Remote Code Execution Vulnerabilities",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Mar/30"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2019-03-06T00:00:00",
              "ID": "CVE-2018-20235",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Sourcetree for Windows",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "0.5a"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "3.0.15"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "There was an argument injection vulnerability in Atlassian Sourcetree for Windows from version 0.5a before version 3.0.15 via filenames in Mercurial repositories. A remote attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Argument Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/SRCTREEWIN-11289",
                  "refsource": "CONFIRM",
                  "url": "https://jira.atlassian.com/browse/SRCTREEWIN-11289"
                },
                {
                  "name": "107407",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/107407"
                },
                {
                  "name": "20190320 March 2019 Sourcetree Advisory - Multiple Remote Code Execution Vulnerabilities",
                  "refsource": "BUGTRAQ",
                  "url": "https://seclists.org/bugtraq/2019/Mar/30"
                },
                {
                  "name": "http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html",
                  "refsource": "MISC",
                  "url": "http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2018-20235",
        "datePublished": "2019-03-08T18:00:00.000Z",
        "dateReserved": "2018-12-19T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:56:51.778Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-13397 (GCVE-0-2018-13397)

    Vulnerability from nvd – Published: 2018-11-05 22:00 – Updated: 2024-09-16 23:11
    VLAI
    Summary
    There was an argument injection vulnerability in Sourcetree for Windows from version 0.5.1.0 before version 3.0.0 via Git subrepositories in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system.
    Severity
    No CVSS data available.
    CWE
    • Argument Injection
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Sourcetree for Windows Affected: 0.5.1.0 , < unspecified (custom)
    Affected: unspecified , < 3.0.0 (custom)
    Create a notification for this product.
    Date Public
    2018-10-31 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T09:00:35.170Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/SRCTREEWIN-9077"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Sourcetree for Windows",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "0.5.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "3.0.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2018-10-31T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "There was an argument injection vulnerability in Sourcetree for Windows from version 0.5.1.0 before version 3.0.0 via Git subrepositories in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Argument Injection",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-11-05T21:57:02.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://jira.atlassian.com/browse/SRCTREEWIN-9077"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2018-10-31T00:00:00",
              "ID": "CVE-2018-13397",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Sourcetree for Windows",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "0.5.1.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "3.0.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "There was an argument injection vulnerability in Sourcetree for Windows from version 0.5.1.0 before version 3.0.0 via Git subrepositories in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Argument Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/SRCTREEWIN-9077",
                  "refsource": "CONFIRM",
                  "url": "https://jira.atlassian.com/browse/SRCTREEWIN-9077"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2018-13397",
        "datePublished": "2018-11-05T22:00:00.000Z",
        "dateReserved": "2018-07-06T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:11:19.581Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-13386 (GCVE-0-2018-13386)

    Vulnerability from nvd – Published: 2018-07-24 13:00 – Updated: 2024-09-16 23:56
    VLAI
    Summary
    There was an argument injection vulnerability in Sourcetree for Windows via filenames in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. Versions of Sourcetree for Windows before version 2.6.9 are affected by this vulnerability.
    Severity
    No CVSS data available.
    CWE
    • Argument Injection
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Sourcetree for Windows Affected: unspecified , < 2.6.9 (custom)
    Create a notification for this product.
    Date Public
    2018-07-18 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T09:00:35.135Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/SRCTREEWIN-8884"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Sourcetree for Windows",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "2.6.9",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2018-07-18T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "There was an argument injection vulnerability in Sourcetree for Windows via filenames in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. Versions of Sourcetree for Windows before version 2.6.9 are affected by this vulnerability."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Argument Injection",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-07-24T12:57:01.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://jira.atlassian.com/browse/SRCTREEWIN-8884"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2018-07-18T00:00:00",
              "ID": "CVE-2018-13386",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Sourcetree for Windows",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "2.6.9"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "There was an argument injection vulnerability in Sourcetree for Windows via filenames in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. Versions of Sourcetree for Windows before version 2.6.9 are affected by this vulnerability."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Argument Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/SRCTREEWIN-8884",
                  "refsource": "CONFIRM",
                  "url": "https://jira.atlassian.com/browse/SRCTREEWIN-8884"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2018-13386",
        "datePublished": "2018-07-24T13:00:00.000Z",
        "dateReserved": "2018-07-06T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:56:52.701Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-14593 (GCVE-0-2017-14593)

    Vulnerability from nvd – Published: 2018-01-26 02:00 – Updated: 2024-09-17 01:56
    VLAI
    Summary
    Sourcetree for Windows had several argument and command injection bugs in Mercurial and Git repository handling. An attacker with permission to commit to a repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. From version 0.8.4b of Sourcetree for Windows, this vulnerability can be triggered from a webpage through the use of the Sourcetree URI handler. Versions of Sourcetree for Windows starting with 0.5.1.0 before version 2.4.7.0 are affected by this vulnerability
    Severity
    No CVSS data available.
    CWE
    • OS Command Injection
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Sourcetree for Windows Affected: Versions starting with 0.5.1.0 before version 2.4.7.0
    Create a notification for this product.
    Date Public
    2018-01-24 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T19:34:38.637Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "102926",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/102926"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/SRCTREEWIN-8256"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Sourcetree for Windows",
              "vendor": "Atlassian",
              "versions": [
                {
                  "status": "affected",
                  "version": "Versions starting with 0.5.1.0 before version 2.4.7.0"
                }
              ]
            }
          ],
          "datePublic": "2018-01-24T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Sourcetree for Windows had several argument and command injection bugs in Mercurial and Git repository handling. An attacker with permission to commit to a repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. From version 0.8.4b of Sourcetree for Windows, this vulnerability can be triggered from a webpage through the use of the Sourcetree URI handler. Versions of Sourcetree for Windows starting with 0.5.1.0 before version 2.4.7.0 are affected by this vulnerability"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "OS Command Injection",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-02-07T10:57:01.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "name": "102926",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/102926"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://jira.atlassian.com/browse/SRCTREEWIN-8256"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2018-01-24T00:00:00",
              "ID": "CVE-2017-14593",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Sourcetree for Windows",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Versions starting with 0.5.1.0 before version 2.4.7.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Sourcetree for Windows had several argument and command injection bugs in Mercurial and Git repository handling. An attacker with permission to commit to a repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. From version 0.8.4b of Sourcetree for Windows, this vulnerability can be triggered from a webpage through the use of the Sourcetree URI handler. Versions of Sourcetree for Windows starting with 0.5.1.0 before version 2.4.7.0 are affected by this vulnerability"
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "OS Command Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "102926",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/102926"
                },
                {
                  "name": "https://jira.atlassian.com/browse/SRCTREEWIN-8256",
                  "refsource": "CONFIRM",
                  "url": "https://jira.atlassian.com/browse/SRCTREEWIN-8256"
                },
                {
                  "name": "https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html",
                  "refsource": "CONFIRM",
                  "url": "https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2017-14593",
        "datePublished": "2018-01-26T02:00:00.000Z",
        "dateReserved": "2017-09-19T00:00:00.000Z",
        "dateUpdated": "2024-09-17T01:56:19.487Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }