CVE-2018-13385

Sourcetree Remote Code Execution

Severity Score

9.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

There was an argument injection vulnerability in Sourcetree for macOS via filenames in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS is able to exploit this issue to gain code execution on the system. Versions of Sourcetree for macOS from 1.0b2 before 2.7.6 are affected by this vulnerability.

Hubo una vulnerabilidad de inyección de argumentos en Sourcetree para macOS mediante nombres de archivos en repositorios Mercurial. Un atacante con permisos para realizar commits en un repositorio Mercurial vinculado a Sourcetree para macOS puede explotar este problema para ejecutar código en el sistema. Las versiones de Sourcetree para macOS desde la 1.0b2 y anteriores a la 2.7.6 se han visto afectadas por esta vulnerabilidad.

Sourcetree suffers from multiple remote code execution vulnerabilities related to git submodules and argument injection. macOS versions 1.0b2 up to 2.7.6 and Windows versions 0.5.1.0 up to 2.6.10 are affected.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-07-06 CVE Reserved
2018-07-24 CVE Published
2024-09-16 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://jira.atlassian.com/browse/SRCTREE-5846	2020-05-11

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Atlassian Search vendor "Atlassian"		Sourcetree Search vendor "Atlassian" for product "Sourcetree"				>= 1.0 < 2.7.6 Search vendor "Atlassian" for product "Sourcetree" and version " >= 1.0 < 2.7.6"		mac_os_x		Affected
Atlassian Search vendor "Atlassian"		Sourcetree Search vendor "Atlassian" for product "Sourcetree"				1.0 Search vendor "Atlassian" for product "Sourcetree" and version "1.0"		beta2, macos		Affected
Atlassian Search vendor "Atlassian"		Sourcetree Search vendor "Atlassian" for product "Sourcetree"				1.0 Search vendor "Atlassian" for product "Sourcetree" and version "1.0"		beta3, macos		Affected
Atlassian Search vendor "Atlassian"		Sourcetree Search vendor "Atlassian" for product "Sourcetree"				1.0 Search vendor "Atlassian" for product "Sourcetree" and version "1.0"		beta4, macos		Affected
Atlassian Search vendor "Atlassian"		Sourcetree Search vendor "Atlassian" for product "Sourcetree"				1.0 Search vendor "Atlassian" for product "Sourcetree" and version "1.0"		beta5, macos		Affected
Atlassian Search vendor "Atlassian"		Sourcetree Search vendor "Atlassian" for product "Sourcetree"				1.0 Search vendor "Atlassian" for product "Sourcetree" and version "1.0"		rc1, macos		Affected