SourceTree for Windows Security Advisory 24th March 2021
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
SourceTree for Windows - Remote Code Injection using Git LFS - CVE-2020-27955 & CVE-2021-21237
Summary | CVE-2020-27955 & CVE-2021-21237 - Remote Code Injection using Git LFS |
|---|---|
Advisory Release Date | 24 March 2021, 10:00 AM PDT (Pacific Time, -7 hours) |
Product | SourceTree for Windows |
Affected Versions | Version 3.4.2 and earlier |
Fixed Versions | Version 3.4.3 and later |
CVE ID(s) |
Summary of Vulnerability
This advisory discloses a critical severity security vulnerability which wasintroduced through the git-lfs library and discovered in version 3.3.9 of SourceTree for Windows. Both CVE-2020-27955 & CVE-2021-21237 refer to the same underlying vulnerability, Remote Code Injection using Git LFS. Versions of SourceTree for Windows starting with 0.9.4 before 3.4.3 (the fixed version for CVE-2020-27955 and CVE-2021-21237) are affected by this vulnerability.
Customers who have upgraded to version 3.4.3 arenot affected.
Customers who have installed versions <= 3.4.2 (the fixed version for versions < 3.4.3)
Please upgrade your installations immediately to fix this vulnerability.
Remote Code Injection using Git LFS - CVE-2020-27955 & CVE-2021-21237
Severity
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT environment.
Description
Vulnerability occurs when a user clones a malicious repository and tries to enable Git LFS to the repository
Clone the repository
Go to the Repository Tab -> Git LFS -> Start Repo
Loading a malicious repository will allow an attacker to execute arbitrary commands on the system.
All versions of SourceTree for Windows up to and including 3.4.2 are affected by this vulnerability.
This issue can be tracked here:
SRCTREEWIN-13410 - RCE via git-lfs in Sourcetree for Windows - CVE-2020-27955 - CLOSED
SRCTREEWIN-13480 - RCE via git-lfs in Sourcetree for Windows - CVE-2021-21237 - CLOSED
Vulnerability References
CVE-2020-27955 advisory from Github: https://github.com/git-lfs/git-lfs/security/advisories/GHSA-4g4p-42wc-9f3m
CVE-2021-21237 advisory from Github: https://github.com/git-lfs/git-lfs/security/advisories/GHSA-cx3w-xqmc-84g5
Original advisory by Dawid Golunski: https://legalhackers.com/advisories/Git-LFS-RCE-Exploit-CVE-2020-27955.html
Fix
We have taken the following steps to address this issue:
Released version 3.4.3 that contains a fix for this issue.
What You Need to Do
Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of SourceTree for Windows, see the release notes. Download the latest version of the standard installer or the enterprise installer.
Upgrade to version 3.4.3 or higher.
Mitigation
Update git and git-lfs on your system to the latest versions and use them in your existing Sourcetree.
Support
If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails.
If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.
References
As per our new policy critical security bug fixes will be back ported in accordance with https://www.atlassian.com/trust/security/bug-fix-policy. We will release new maintenance releases for the versions covered by the policy instead of binary patches. Binary patches are no longer released. | |
Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org. | |
Our end of life policy varies for different products. Please refer to our EOL Policy for details. |
Was this helpful?