Vulnerability CVE-2018-13385


Published: 2018-07-24

Description:
There was an argument injection vulnerability in Sourcetree for macOS via filenames in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS is able to exploit this issue to gain code execution on the system. Versions of Sourcetree for macOS from 1.0b2 before 2.7.6 are affected by this vulnerability.

See advisories in our WLB2 database:
Topic
Author
Date
High
Sourcetree Remote Code Execution
Etienne Stalmans
25.07.2018

Type:

CWE-88

(Argument Injection or Modification)

Vendor: Atlassian
Product: Sourcetree 
Version:
2.7.3
2.7.2
2.7.1
2.7
2.6.3
2.6.2
2.6.1
2.6
2.5.3
2.5.2
2.5.1
2.5
2.4.1
2.4
2.3.2
2.3.1
2.3
2.2.4
2.2.3
2.2.2
2.2.1
2.2
2.1
2.0.5.8
2.0.5.7
2.0.5.6
2.0.5.5
2.0.5.4
2.0.5.3
2.0.5.2
2.0.5
2.0.4
2.0.3
2.0.2
2.0.1
2.0.0
1.9.8
1.9.7
1.9.6
1.9.5.2
1.9.5.1
1.9.5
1.9.4.1
1.9.4
1.9.3.1
1.9.3
1.9.2
1.9.1
1.9.0
1.8.1
1.8.0.3
1.8.0.2
1.8.0.1
1.8.0
1.7.4.1
1.7.4
1.7.3
1.7.2
1.7.1
1.7.0
1.6.4.1
1.6.3.1
1.6.2.2
1.6.2.1
1.6.2
1.6.1
1.6.0.1
1.6
1.5.8
1.5.7.1
1.5.7
1.5.6
1.5.5.1
1.5.5
1.5.4
1.5.3
1.5.2
1.5.1
1.5
1.4.4.2
1.4.4.1
1.4.4
1.4.3.1
1.4.3
1.4.2
1.4.1.1
1.4.1
1.4
1.3.3
1.3.2
1.3.1.1
1.3.1
1.3.0
1.2.9.1
1.2.9
1.2.8.1
1.2.8
1.2.7.1
1.2.7
1.2.6
See more versions on NVD

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
https://jira.atlassian.com/browse/SRCTREE-5846

Related CVE
CVE-2018-13402
Many resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before ve...
CVE-2018-13401
The XsrfErrorAction resource in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7....
CVE-2018-13400
Several administrative resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from versio...
CVE-2018-13399
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-13395
Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 a...
CVE-2018-13391
The ProfileLinkUserFormat component of Jira Server before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and from ver...
CVE-2018-13392
Several resources in Atlassian Fisheye and Crucible before version 4.6.0 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in linked issue keys.
CVE-2017-18104
The Webhooks component of Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.11.0 allows remote attackers who are able to observe or otherwise intercept webhook events to learn information about changes in issues that should ...

Copyright 2018, cxsecurity.com

 

Back to Top