SourceTree for Windows – Remote Code Injection using Git LFS – CVE-2020-27955

Summary

Advisory Release Date: 20 Jan 2021

Product: SourceTree for Windows

Affected Versions: Version 3.3.9 and earlier

Fixed Versions : Version 3.4.0 and later

CVE ID(s): CVE-2020-27955

Summary of Vulnerability
This advisory discloses a critical severity security vulnerability which was introduced through the git-lfs library and discovered in version 3.3.9 of SourceTree for Windows . Versions of SourceTree for Windows starting with 0.9.4 before 3.4.0 (the fixed version for CVE-2020-27955) are affected by this vulnerability.

Description
There was an argument injection vulnerability in SourceTree for Windows introduced through git-lfs. An attacker could create a malicious repository which, after being cloned in SourceTree for Windows and enabled with git-lfs, is able to exploit this issue to gain code execution on the system.

All versions of SourceTree for Windows up to and including 3.3.9 are affected by this vulnerability.

What You Need to Do
Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of SourceTree for Windows, see the release notes. You can download the latest version of the standard installer.

If you can’t upgrade SourceTree, update git and git-lfs on your system to the latest versions and use them in your existing Sourcetree

Visit the Atlassian Security Advisories Website