Argument injection attack in Sourcetree for Windows - CVE-2018-5226
Published: May 1, 2018 / Updated: May 16, 2018
Vulnerability identifier: #VU12313
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2018-5226
CWE-ID: CWE-88
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Atlassian
Affected software:
Sourcetree for Windows
Sourcetree for Windows
Detailed vulnerability description
The vulnerability allows a remote unauthenticated attacker to execute arbitrary code on the target system.
The weakness exists due to an argument injection via Mercurial repository tag name that is going to be deleted. A remote attacker with permission to create a tag on a Mercurial repository linked in Sourcetree for Windows can trick the victim into opening a specially crafted file and execute arbitrary code.
Successful exploitation on the vulnerability may result in system compromise.
The weakness exists due to an argument injection via Mercurial repository tag name that is going to be deleted. A remote attacker with permission to create a tag on a Mercurial repository linked in Sourcetree for Windows can trick the victim into opening a specially crafted file and execute arbitrary code.
Successful exploitation on the vulnerability may result in system compromise.
How to mitigate CVE-2018-5226
Update to version 2.5.5.