Sourcetree Security Advisory 2020-09-02
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Sourcetree - Malicious URLs may cause Git to present stored credentials to the wrong server
Summary | CVE-2020-5260 - Malicious URLs may cause Git to present stored credentials to the wrong server |
|---|---|
Advisory Release Date | September 2, 2020 10 AM PDT (Pacific Time, -7 hours) |
Product | Sourcetree for Windows Sourcetree for Mac |
Affected Sourcetree versions | For Windows version 3.3.8 and earlier For Mac version 4.0.1 and earlier |
Fixed Sourcetree Versions | For Windows version3.3.9 For Mac version4.0.2 |
CVE ID(s) |
Summary of Vulnerability
This advisory discloses critical severity security vulnerabilities in the Sourcetree versions listed above ("Affected Sourcetree Versions").
customers who have upgraded Sourcetree to versions listed in the fixed Sourcetree versions are not affected.
Customers who have downloaded and installed any of the Sourcetree for Windows and Mac versions listed above ("Affected Sourcetree versions") are affected.
Please upgrade your Sourcetree for Windows and Mac immediately to fix this vulnerability.
Severity
Atlassian has given this vulnerability a critical rating. This rating was given according to the Atlassian security levels, which rank vulnerabilities as critical, high, moderate, or low severity.
This is our assessment and you should evaluate its applicability to your own IT environment.
Description
Sourcetree uses Git, which uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline could inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any hostname to a hostname of their choosing.
The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git.
All versions of Sourcetree for macOS 4.0.1 and earlier are affected by this vulnerability. This issue can be tracked here:
SRCTREE-7358 - Git submodules vulnerability in Sourcetree for Mac - CVE-2020-5260CLOSED
All versions of Sourcetree for Windows 3.3.8 and earlier are affected by this vulnerability. This issue can be tracked here:
SRCTREEWIN-13182 - Git submodules vulnerability in Sourcetree for Windows - CVE-2020-5260CLOSED
Fix
We have taken the following steps to address these issues:
Released Sourcetree for macOS version 4.0.2 that contains fixes for these issues and can be downloaded from https://www.sourcetreeapp.com/.
Released Sourcetree for Windows version 3.3.9 that contains fixes for these issues and can be downloaded from https://www.sourcetreeapp.com/.
What You Need to Do
Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Sourcetree, see the release notes(Windows and Mac). You can download the latest version of Sourcetree from the Sourcetree website.
Upgrade to Sourcetree for macOS version 4.0.2 or Higher; Sourcetree for Windows version 3.3.9 or higher.
If you are running a version of Sourcetree for macOS earlier than 4.0.2, or Sourcetree for Windows earlier than 3.3.9 and cannot upgrade to the latest version immediately, the best workaround is to upgrade to the latest version of Git and select the option to use system Git.The patched versions of Git are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1.
Mitigation
If you can't upgrade the Sourcetree or Git immediately, an alternative is to avoid malicious URLs:
examine the hostname and username portion of URLs fed to git clone
for the presence of encoded newlines (%0a) or evidence of
credential-protocol injections (e.g., host=github.com)
avoid using submodules with untrusted repositories (don't use the
clone--recurse-submodules; usegit submodule updateonly after examiningthe URLs found in .gitmodules)
References
https://bitbucket.org/blog/git-vulnerability-in-multiple-versions-including-2-26
https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q
https://bugs.chromium.org/p/project-zero/issues/detail?id=2021
Support
Atlassian supports Sourcetree through the Atlassian Community. If you have questions or concerns regarding this advisory, please raise them via https://community.atlassian.com/t5/Sourcetree/ct-p/Sourcetree.
Was this helpful?