SourceTree for Windows – Remote Code Injection using Git LFS – CVE-2020-27955
Advisory Release Date: 20 Jan 2021
Product: SourceTree for Windows
Affected Versions: Version 3.3.9 and earlier
Fixed Versions : Version 3.4.0 and later
CVE ID(s): CVE-2020-27955
Summary of Vulnerability
This advisory discloses a critical severity security vulnerability which was introduced through the git-lfs library and discovered in version 3.3.9 of SourceTree for Windows . Versions of SourceTree for Windows starting with 0.9.4 before 3.4.0 (the fixed version for CVE-2020-27955) are affected by this vulnerability.
There was an argument injection vulnerability in SourceTree for Windows introduced through git-lfs. An attacker could create a malicious repository which, after being cloned in SourceTree for Windows and enabled with git-lfs, is able to exploit this issue to gain code execution on the system.
All versions of SourceTree for Windows up to and including 3.3.9 are affected by this vulnerability.
What You Need to Do
Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of SourceTree for Windows, see the release notes. You can download the latest version of the standard installer.
If you can’t upgrade SourceTree, update git and git-lfs on your system to the latest versions and use them in your existing Sourcetree
Visit the Atlassian Security Advisories Website