Allele Security Alert
ASA-2019-00129
Identifier(s)
ASA-2019-00129, CVE-2018-20236
Title
Command Injection via URI handling
Vendor(s)
Atlassian
Product(s)
Sourcetree
Affected version(s)
Sourcetree for Windows starting with 0.5a before version 3.0.10
Fixed version(s)
Sourcetree for Windows version 3.0.10
Proof of concept
Unknown
Description
Sourcetree for Windows before version 3.0.10 was vulnerable to CVE-2018-20236. A remote attacker able to send a URI to a Sourcetree for Windows user is able to exploit this issue to gain code execution on the system.
Technical details
Unknown
Credits
Terry Zhang (Tophant)
Reference(s)
Sourcetree Security Advisory 2019-03-06
https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2019-03-06-966678691.html
Command Injection via URI handling in Sourcetree for Windows – CVE-2018-20236
https://jira.atlassian.com/browse/SRCTREEWIN-11291
CVE-2018-20236
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20236
CVE-2018-20236
https://nvd.nist.gov/vuln/detail/CVE-2018-20236
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: March 12, 2019