Atlassian SourceTree v2.5c and prior are affected by a command injection in the handling of the sourcetree:// scheme. It will lead to arbitrary OS command execution with a URL substring of sourcetree://cloneRepo/ext:: or sourcetree://checkoutRef/ext:: followed by the command. The Atlassian ID number is SRCTREE-4632.
|http://openwall.com/lists/oss-security/2017/05/03/5||Mailing List Third Party Advisory|
|http://seclists.org/fulldisclosure/2017/May/10||Mailing List Third Party Advisory|
|http://www.securityfocus.com/bid/98329||Third Party Advisory VDB Entry|
|https://www.youtube.com/watch?v=SQ1_Ht-0Bdo||Third Party Advisory|
Configuration 1 (hide)