Vulnerabilities > CVE-2018-20235 - Unspecified vulnerability in Atlassian Sourcetree
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
There was an argument injection vulnerability in Atlassian Sourcetree for Windows from version 0.5a before version 3.0.15 via filenames in Mercurial repositories. A remote attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system.
Vulnerable Configurations
Nessus
NASL family MacOS X Local Security Checks NASL id ATLASSIAN_SOURCETREE_3_1_1_MACOSX.NASL description The version of Atlassian SourceTree installed on the remote Windows host is version 1.2 prior to 3.1.1. It is, therefore, affected by multiple remote code execution vulnerabilities. - An option injection vulnerability exists in the git submodule component. An unauthenticated, remote attacker can exploit this via the processing of a recursive git clone of a project with a specially crafted .gitmodules file, to execute arbitrary commands. (CVE-2018-17456) - An argument injection vulnerability exists in the Mercurial repository component. An authenticated, remote attacker can exploit this via filenames in the Mercurial repositories to execute arbitrary commands. (CVE-2018-20234, CVE-2018-20235) - A command injection vulnerability exists in the URI handling component. An unauthenticated, remote attacker could exploit this via sending a malicious URI to a victim to execution arbitrary commands. (CVE-2018-20236) Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 124411 published 2019-04-30 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124411 title Atlassian SourceTree 1.2 < 3.1.1 Multiple remote code execution vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(124411); script_version("1.3"); script_cvs_date("Date: 2019/05/17 9:44:17"); script_cve_id( "CVE-2018-17456", "CVE-2018-20234", "CVE-2018-20235", "CVE-2018-20236" ); script_bugtraq_id( 105523, 107401, 107407, 107414 ); script_name(english:"Atlassian SourceTree 1.2 < 3.1.1 Multiple remote code execution vulnerabilities"); script_summary(english:"Checks the version of Atlassian SourceTree."); script_set_attribute(attribute:"synopsis", value: "The version of Atlassian SourceTree installed on the remote Windows host is affected by multiple remote code execution vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Atlassian SourceTree installed on the remote Windows host is version 1.2 prior to 3.1.1. It is, therefore, affected by multiple remote code execution vulnerabilities. - An option injection vulnerability exists in the git submodule component. An unauthenticated, remote attacker can exploit this via the processing of a recursive git clone of a project with a specially crafted .gitmodules file, to execute arbitrary commands. (CVE-2018-17456) - An argument injection vulnerability exists in the Mercurial repository component. An authenticated, remote attacker can exploit this via filenames in the Mercurial repositories to execute arbitrary commands. (CVE-2018-20234, CVE-2018-20235) - A command injection vulnerability exists in the URI handling component. An unauthenticated, remote attacker could exploit this via sending a malicious URI to a victim to execution arbitrary commands. (CVE-2018-20236) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number. "); # https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2019-03-06-966678691.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e9103cc4"); script_set_attribute(attribute:"solution", value: "Upgrade to Atlassian SourceTree 3.1.1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-20236"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Malicious Git HTTP Server For CVE-2018-17456'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/03/06"); script_set_attribute(attribute:"patch_publication_date", value:"2019/03/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/04/30"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:atlassian:sourcetree"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("atlassian_sourcetree_detect_macosx.nbin"); script_require_keys("Host/MacOSX/Version", "installed_sw/SourceTree"); exit(0); } include("vcf.inc"); include("vcf_extras.inc"); app_info = vcf::get_app_info(app:"SourceTree"); #atlassian_sourcetree add conversions for b --> beta and a --> alpha vcf::atlassian_sourcetree::initialize(); constraints = [{ "min_version" : "1.2", "fixed_version" : "3.1.1" }]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
NASL family Windows NASL id ATLASSIAN_SOURCETREE_3_0_17.NASL description The version of Atlassian SourceTree installed on the remote Windows host is version 0.5a prior to 3.0.17. It is, therefore, affected by multiple remote code execution vulnerabilities. - An option injection vulnerability exists in the git submodule component. An unauthenticated, remote attacker can exploit this via the processing of a recursive git clone of a project with a specially crafted .gitmodules file, to execute arbitrary commands. (CVE-2018-17456) - An argument injection vulnerability exists in the Mercurial repository component. An authenticated, remote attacker can exploit this via filenames in the Mercurial repositories to execute arbitrary commands. (CVE-2018-20234, CVE-2018-20235) - A command injection vulnerability exists in the URI handling component. An unauthenticated, remote attacker could exploit this via sending a malicious URI to a victim to execution arbitrary commands. (CVE-2018-20236) Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 122854 published 2019-03-14 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122854 title Atlassian SourceTree 0.5a < 3.0.17 Multiple remote code execution vulnerabilities
References
- http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html
- http://packetstormsecurity.com/files/152173/Sourcetree-Git-Arbitrary-Code-Execution-URL-Handling.html
- http://www.securityfocus.com/bid/107407
- http://www.securityfocus.com/bid/107407
- https://jira.atlassian.com/browse/SRCTREEWIN-11289
- https://jira.atlassian.com/browse/SRCTREEWIN-11289
- https://seclists.org/bugtraq/2019/Mar/30
- https://seclists.org/bugtraq/2019/Mar/30