CVE-2017-8768 in SourceTree
Summary
by MITRE
Atlassian SourceTree v2.5c and prior are affected by a command injection in the handling of the sourcetree:// scheme. It will lead to arbitrary OS command execution with a URL substring of sourcetree://cloneRepo/ext:: or sourcetree://checkoutRef/ext:: followed by the command. The Atlassian ID number is SRCTREE-4632.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 12/22/2020
Atlassian SourceTree version 2.5c and earlier contains a critical command injection vulnerability that arises from improper handling of the sourcetree:// URI scheme. This flaw allows attackers to execute arbitrary operating system commands through specially crafted URLs that leverage the cloneRepo/ext:: or checkoutRef/ext:: patterns. The vulnerability exists within the application's protocol handler implementation where user-supplied input is not properly sanitized or validated before being processed as part of command execution flows. The issue represents a classic command injection vulnerability that can be exploited through web-based attack vectors or maliciously crafted links that users might inadvertently click.
The technical exploitation of this vulnerability occurs when SourceTree processes URLs containing the malicious sourcetree:// scheme followed by the specific command injection patterns. When users click on or open such URLs, the application parses the URL components and executes the embedded commands without adequate input validation or sanitization. This creates a dangerous execution path where attacker-controlled input flows directly into system command invocations, bypassing normal security boundaries. The vulnerability is particularly concerning because it can be triggered through simple URL interactions rather than requiring complex social engineering or additional attack vectors.
The operational impact of this vulnerability is severe as it provides attackers with arbitrary code execution capabilities on the affected system. Successful exploitation allows remote attackers to execute any command available to the user account running SourceTree, potentially leading to full system compromise. Attackers could leverage this vulnerability to install malware, exfiltrate data, modify system configurations, or establish persistent access points. The vulnerability affects all versions up to and including 2.5c, making it particularly dangerous given the widespread use of SourceTree in development environments where attackers might already have knowledge of the target systems.
Mitigation strategies should focus on immediate version updates to SourceTree 2.5d or later, which contain the necessary patches addressing this command injection vulnerability. Organizations should also implement network-level protections such as URL filtering and web application firewalls to block malicious sourcetree:// URLs. Additionally, security awareness training for developers should emphasize the dangers of clicking untrusted links and the importance of verifying URL authenticity before interaction. The vulnerability aligns with CWE-78 which describes improper neutralization of special elements used in OS commands, and maps to ATT&CK technique T1059.001 for command and scripting interpreter. System administrators should also consider implementing application whitelisting policies that restrict execution of arbitrary commands through SourceTree's protocol handlers.