Web Analytics
Select Page

DevOps Security Alerts

About ReleaseTEAM: DevOps Experts

Atlassian SourceTree for Windows Security Advisory

SourceTree for Windows – Remote Code Injection using Git LFS – CVE-2020-27955

Summary

Advisory Release Date: 20 Jan 2021

Product: SourceTree for Windows

Affected Versions: Version 3.3.9 and earlier

Fixed Versions : Version 3.4.0 and later

CVE ID(s): CVE-2020-27955

Summary of Vulnerability
This advisory discloses a critical severity security vulnerability which was introduced through the git-lfs library and discovered in version 3.3.9 of SourceTree for Windows . Versions of SourceTree for Windows starting with 0.9.4 before 3.4.0 (the fixed version for CVE-2020-27955) are affected by this vulnerability.

Description
There was an argument injection vulnerability in SourceTree for Windows introduced through git-lfs. An attacker could create a malicious repository which, after being cloned in SourceTree for Windows and enabled with git-lfs, is able to exploit this issue to gain code execution on the system.

All versions of SourceTree for Windows up to and including 3.3.9 are affected by this vulnerability.

What You Need to Do
Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of SourceTree for Windows, see the release notes. You can download the latest version of the standard installer.

If you can’t upgrade SourceTree, update git and git-lfs on your system to the latest versions and use them in your existing Sourcetree

Visit the Atlassian Security Advisories Website

Contact us on (866) 887-0489 or info@releaseteam.com today to speak to an expert about your next DevOps project.

Let's Talk DevOps!

Call: (866)-887-0489
Email: info@releaseteam.com

Veteran-Owned Business Badge

Corporate HQ

1400 W 122nd Ave.
Suite 202
Denver, CO 80234
720-887-0489

Massachusetts

1257 Worcester Rd.
Suite 108
Framingham, MA 01701
866-887-0489

Canada

PMB# 604
1-110 Cumberland St.
Toronto, ON M5R 3V5
866-887-0489