A critical security vulnerability has been discovered in Atlassian’s popular version control client, Sourcetree, affecting both Mac and Windows versions.
The flaw, identified as CVE-2024-21697, allows unauthenticated attackers to execute arbitrary code remotely, posing a significant risk to users.
The vulnerability, which carries a high severity rating with a CVSS score of 8.8, was introduced in Sourcetree for Mac version 4.2.8 and Sourcetree for Windows version 3.4.19.
This remote code execution (RCE) flaw has the potential to compromise the confidentiality, integrity, and availability of affected systems.
Security researchers have warned that successful exploitation of this vulnerability could grant attackers complete control over the targeted systems.
Atlassian, the company behind Sourcetree, has responded swiftly to the security threat. They have released patches to address the vulnerability and are strongly urging all users to update their software immediately.
Maximizing Cybersecurity ROI: Expert Tips for SME & MSP Leaders – Attend Free Webinar
Flaw Profile
- CVE ID: CVE-2024-21697
- Affects Version/s: 4.2.8, 3.4.19
- CVSS Score: 8.8
- CVSS Severity: High
- Vulnerability Source: Penetration Testing
- Vulnerability Classes: RCE (Remote Code Execution), Security Misconfiguration
- Affected Product(s): Sourcetree for Mac, Sourcetree for Windows
The attack vector requires user interaction, but the specifics of how the vulnerability can be triggered have not been disclosed to prevent further exploitation.
The fixed versions are:
- Sourcetree for Mac: Version 4.2.9 or later
- Sourcetree for Windows: Version 3.4.20 or later
Users who are unable to upgrade to the latest versions are advised to update to these specific patched releases at a minimum.
This security issue is part of a larger set of vulnerabilities addressed in Atlassian’s November 2024 Security Bulletin. The bulletin includes details on 19 high-severity vulnerabilities that have been fixed across various Atlassian products.
The discovery of this vulnerability highlights the ongoing challenges in software security, particularly for widely-used development tools.
Atlassian has not reported any instances of this vulnerability being exploited in the wild. However, given the severity and potential impact of the flaw, users are strongly encouraged to take immediate action to protect their systems.
For those using Sourcetree in their development workflows, it is crucial to verify the version currently in use and update as soon as possible. Users can download the latest versions of Sourcetree for both Mac and Windows from the official Atlassian website.
Moreover, the best practices in cybersecurity should be followed, including keeping all software up to date, being cautious when interacting with unknown or suspicious content, and maintaining robust security measures across development environments.
Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN -> Try for Free