CVE-2018-13397 in SourceTree
Summary
by MITRE
There was an argument injection vulnerability in Sourcetree for Windows from version 0.5.1.0 before version 3.0.0 via Git subrepositories in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/10/2020
The vulnerability CVE-2018-13397 represents a critical argument injection flaw in Atlassian Sourcetree for Windows, affecting versions prior to 3.0.0. This issue specifically targets the Git subrepositories functionality within Mercurial repositories, creating a dangerous pathway for privilege escalation and remote code execution. The vulnerability exists due to improper input validation and sanitization of user-supplied data when processing Git operations within the Mercurial repository context. Attackers who possess commit permissions to a Mercurial repository that is linked to Sourcetree for Windows can exploit this weakness to inject malicious arguments into Git commands, potentially executing arbitrary code on the target system with the privileges of the user running Sourcetree.
The technical exploitation of this vulnerability stems from the application's failure to properly escape or validate command-line arguments when handling Git subrepositories. When Sourcetree processes Mercurial repositories containing Git submodules or subrepositories, it constructs command-line arguments that are passed to Git executables without adequate sanitization. This creates an environment where attacker-controlled input can influence the execution flow of Git commands, allowing for command injection attacks. The vulnerability maps to CWE-77 which describes improper neutralization of special elements used in a command, and specifically relates to CWE-78 which deals with OS command injection. The flaw demonstrates a classic command injection vulnerability where user-supplied data is directly incorporated into system commands without proper validation or escaping mechanisms.
The operational impact of this vulnerability extends beyond simple code execution capabilities, as it provides attackers with a sophisticated attack vector that can be leveraged for persistent system compromise. An attacker with commit access to a Mercurial repository can craft malicious commits that, when processed by Sourcetree, trigger the injection vulnerability. This scenario is particularly concerning in collaborative development environments where multiple developers have commit privileges to shared repositories. The attack can be executed without requiring additional authentication or network access, as the vulnerability is triggered during normal repository operations within the Sourcetree interface. This makes the vulnerability particularly dangerous in enterprise environments where development teams frequently use Sourcetree for version control management and where repository commit permissions may be broadly distributed.
Mitigation strategies for CVE-2018-13397 should prioritize immediate software updates to version 3.0.0 or later, which includes proper input validation and argument sanitization for Git subrepository operations. Organizations should implement strict access controls and privilege management for repository commits, limiting commit permissions to trusted individuals only. Network segmentation and monitoring solutions should be deployed to detect anomalous Git command execution patterns that may indicate exploitation attempts. Additionally, security teams should conduct comprehensive vulnerability assessments of all development environments using Sourcetree to ensure no other instances of this vulnerability exist. The ATT&CK framework categorizes this vulnerability under T1059.001 for command and scripting interpreter, with potential lateral movement opportunities through the executed code. System administrators should also consider implementing application whitelisting policies to restrict execution of unauthorized Git commands and establish incident response procedures specifically addressing Git command injection vulnerabilities in version control systems.