DevOps Security Alerts
About ReleaseTEAM: DevOps Experts
Atlassian SourceTree for Windows Security Advisory
SourceTree for Windows – Remote Code Injection using Git LFS – CVE-2020-27955
Summary
Advisory Release Date: 20 Jan 2021
Product: SourceTree for Windows
Affected Versions: Version 3.3.9 and earlier
Fixed Versions : Version 3.4.0 and later
CVE ID(s): CVE-2020-27955
Summary of Vulnerability
This advisory discloses a critical severity security vulnerability which was introduced through the git-lfs library and discovered in version 3.3.9 of SourceTree for Windows . Versions of SourceTree for Windows starting with 0.9.4 before 3.4.0 (the fixed version for CVE-2020-27955) are affected by this vulnerability.
Description
There was an argument injection vulnerability in SourceTree for Windows introduced through git-lfs. An attacker could create a malicious repository which, after being cloned in SourceTree for Windows and enabled with git-lfs, is able to exploit this issue to gain code execution on the system.
All versions of SourceTree for Windows up to and including 3.3.9 are affected by this vulnerability.
What You Need to Do
Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of SourceTree for Windows, see the release notes. You can download the latest version of the standard installer.
If you can’t upgrade SourceTree, update git and git-lfs on your system to the latest versions and use them in your existing Sourcetree
Visit the Atlassian Security Advisories Website
Contact us on (866) 887-0489 or info@releaseteam.com today to speak to an expert about your next DevOps project.
Let's Talk DevOps!
Call: (866)-887-0489
Email: info@releaseteam.com
Corporate HQ
1400 W 122nd Ave.
Suite 202
Denver, CO 80234
720-887-0489
Massachusetts
1257 Worcester Rd.
Suite 108
Framingham, MA 01701
866-887-0489
Canada
PMB# 604
1-110 Cumberland St.
Toronto, ON M5R 3V5
866-887-0489