Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

More info on the Command Injection issue?

Scott Robertson
Scott Robertson May 10, 2017

I received an email from Atlassian relating to the Command Injection issue in SourceTree and suggesting an upgrade to the most recent version of SourceTree, as I'm sure all users did.

I am hesitant about upgrading in an Enterprise environment to the newest version for a couple reasons I will not get into here. Is there any information on what exactly the risks are if I stay on a pre-2 version? And is there any way of mitigating those risks other than upgrading?

Much appreciate any responses

Answer
Watch
Like Shane Rogers likes this
937 views

1 answer

1 accepted

1 vote
Answer accepted
Gary
Gary
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 10, 2017

Hi Scott,

Please see https://confluence.atlassian.com/display/SOURCETREEKB/SourceTree+Security+Advisory+2017-05-10https://nvd.nist.gov/vuln/detail/CVE-2017-8768 for more information.

Can you also tell me if you are using the Windows version, or OSX version of SourceTree?

Cheers,
Gary

View More Comments
Scott Robertson
Scott Robertson May 10, 2017

Thanks for the links. I had seen the first one and found it a little vague on what exactly the possible repercussions could be, I will follow up on the latter link though.

I'm using the Windows version.

Like
Scott Robertson
Scott Robertson May 10, 2017

After following the links I believe I understand the seriousness of the issue. Is there any way of effectively negating the issue in affected versions, such as unlinking the installed Sourcetree from URI association?

Like
Gary
Gary
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 10, 2017

Hey Scott,

Upgrading is the preferred path.  

Alternatively, you can uncheck the option "Use this version of SourceTree for UIR Association" in the Tools/Options/General Tab and remove the following registry key "HKEY_CURRENT_USER\SOFTWARE\Classes\sourcetree\shell\opencommand" - this disables the handling of the "sourcetree://" protocol.

Please note that we do not test on older versions of SourceTree.

Cheers,

Gary

Like
Reply

Suggest an answer

Log in or Sign up to answer
Sourcetree
Sourcetree
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.