Allele Security Alert
ASA-2019-00127, CVE-2018-20234, CVE-2018-20235
Argument injection via mercurial hooks
Sourcetree for macOS starting with 1.2 before version 3.1.1
Sourcetree for Windows starting with 0.5a before version 3.0.15
Sourcetree for macOS version 3.1.1
Sourcetree for Windows version 3.0.15
Proof of concept
Sourcetree for macOS before version 3.1.1 and Sourcetree for Windows before version 3.0.15 were vulnerable to CVE-2018-20234 and CVE-2018-20235 respectively. A remote attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS or Windows is able to exploit this issue to gain code execution on the system.
Terry Zhang (Tophant)
Sourcetree Security Advisory 2019-03-06
Argument Injection via Mercurial hooks in Sourcetree for macOS – CVE-2018-20234
Argument Injection via Mercurial hooks in Sourcetree for Windows – CVE-2018-20235
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: March 12, 2019