Technical Advisory: Shell Injection in SourceTree

Vendor: Atlassian Vendor URL: Versions affected: v1.9.8 known affected version, earlier versions possible Systems Affected: Mac OS X known affected, others possible Author: Daniel Crowley <daniel.crowley[at]nccgroup[dot]trust> Advisory URL / CVE Identifier: Risk: Critical (reliable remote code execution) 


SourceTree is a product for working with various types of code repositories.

SourceTree registers its own URL handler for sourcetree:// URLs, which is vulnerable to shell command injection.


sourcetree:// URL handler


Attackers can execute arbitrary shell commands on computers running SourceTree 1.9.8 or earlier by getting a user to visit a malicious website or click a sourcetree:// URL.


SourceTree v1.9.8 and earlier are affected by a shell injection flaw in the handling of sourcetree:// URLs. The checkoutRef action uses the cloneURL variable as part of a shell command without proper sanitization. It is possible to trigger this through a browser using a META refresh tag which redirects to a sourcetree:// URL.


Upgrade to the latest version of SourceTree.

Vendor Communication

2016-10-06 - Initial contact with Atlassian to request a security    contact 2016-10-06 - Atlassian notes that it has a portal for reporting    vulnerabilities and provides invites, as well as providing a    PGP key 2016-10-12 - Provided Atlassian with a draft of this document and    proof of concept exploit via email with PGP 2016-10-14 - Atlassian notes that the latest version of SourceTree,    version 2.3.1, is not vulnerable 2016-10-20 - Asked Atlassian to confirm that we are OK to publish    since the latest version is not vulnerable 2016-10-26 - Atlassian agrees but asks for a severity rating to    ensure we publish with the same severity rating 2017-01-16 - Notified Atlassian that we identify the severity as    critical 2017-01-16 - Atlassian asks us to notify them when we are going    to release the advisory so they can coordinate their release 2017-02-15 - Notified Atlassian by email that we are preparing the    advisory for release 

Thanks to

Syndis – For discovering the bug

About NCC Group

NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cyber security.

Call us before you need us.

Our experts will help you.

Get in touch
%d bloggers like this: