CVE-2018-20236
Sourcetree Git Arbitrary Code Execution / URL Handling
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
There was an command injection vulnerability in Sourcetree for Windows from version 0.5a before version 3.0.10 via URI handling. A remote attacker could send a malicious URI to a victim using Sourcetree for Windows to exploit this issue to gain code execution on the system.
Había una vulnerabilidad de inyección de comandos en Sourcetree para Windows, desde la versión 0.5a hasta la 3.0.10, mediante la gestión de URI. Un atacante remoto podría enviar una URL maliciosa a una víctima que utiliza Sourcetree para Windows para explotar este fallo con el fin obtener la ejecución de código en el sistema.
Sourcetree for macOS versions below 3.1.1 to 1.2 and Sourcetree for Windows versions below 3.0.17 to 0.5a suffer from code execution vulnerabilities related to the inclusion of git, a Mercurial hooks argument injection vulnerability, and a URI handling vulnerability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-12-19 CVE Reserved
- 2019-03-08 CVE Published
- 2024-09-16 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html | X_refsource_misc |
|
| http://www.securityfocus.com/bid/107401 | Third Party Advisory | |
| https://seclists.org/bugtraq/2019/Mar/30 | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://jira.atlassian.com/browse/SRCTREEWIN-11291 | 2019-10-03 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Atlassian Search vendor "Atlassian" | Sourcetree Search vendor "Atlassian" for product "Sourcetree" | >= 0.5a < 3.0.10 Search vendor "Atlassian" for product "Sourcetree" and version " >= 0.5a < 3.0.10" | windows |
Affected
| ||||||