CVE-2024-21697 Overview
CVE-2024-21697 is a Remote Code Execution (RCE) vulnerability affecting Atlassian Sourcetree, a popular Git client used by developers on macOS and Windows platforms. This vulnerability allows an unauthenticated attacker to execute arbitrary code on affected systems, potentially leading to complete system compromise.
The vulnerability requires user interaction to exploit, meaning an attacker must convince a user to perform a specific action, such as opening a malicious repository or interacting with crafted content. Despite this requirement, the potential impact is severe, with high confidentiality, integrity, and availability consequences for affected systems.
Critical Impact
Unauthenticated attackers can achieve arbitrary code execution on systems running vulnerable versions of Sourcetree, potentially compromising developer workstations and any connected source code repositories.
Affected Products
- Sourcetree for Mac version 4.2.8
- Sourcetree for Windows version 3.4.19
- All prior versions in the affected version branches
Discovery Timeline
- 2024-11-19 - CVE-2024-21697 published to NVD
- 2025-02-11 - Last updated in NVD database
Technical Details for CVE-2024-21697
Vulnerability Analysis
This Remote Code Execution vulnerability in Atlassian Sourcetree enables unauthenticated attackers to execute arbitrary code on victim systems. The attack is network-based with low complexity, though it requires user interaction to successfully exploit. The vulnerability was discovered through Atlassian's Penetration Testing program, indicating it was identified through security research rather than active exploitation in the wild.
When successfully exploited, this vulnerability can result in complete compromise of the affected system. Attackers could potentially gain access to source code repositories, steal credentials stored in the application, pivot to other systems on the network, or install persistent backdoors on developer workstations.
Root Cause
The specific technical root cause has not been publicly disclosed by Atlassian. However, RCE vulnerabilities in Git clients like Sourcetree often stem from improper handling of repository content, unsafe execution of Git hooks, or insufficient validation of user-controlled input when processing repository metadata. The vulnerability may involve how Sourcetree processes certain Git operations or handles external data.
Attack Vector
The vulnerability is exploitable over the network without requiring authentication. An attacker could potentially exploit this vulnerability through several vectors:
- Crafting a malicious Git repository that triggers code execution when cloned or opened
- Exploiting how Sourcetree handles certain Git protocol operations
- Leveraging malicious content within repository metadata or configuration files
Since user interaction is required, social engineering tactics would likely be employed to convince targets to interact with malicious repositories or links.
The exploitation mechanism involves network-based attack vectors targeting Sourcetree's handling of repository operations. Given the user interaction requirement, attackers would typically need to convince a victim to clone or open a specially crafted repository. For detailed technical information, refer to the Atlassian Security Advisory.
Detection Methods for CVE-2024-21697
Indicators of Compromise
- Unexpected child processes spawned by Sourcetree application (SourceTree.exe on Windows or Sourcetree.app on macOS)
- Unusual network connections originating from Sourcetree processes to unknown external hosts
- Suspicious Git repository clone operations from untrusted sources
- Anomalous file system activity in user profile directories following Sourcetree operations
Detection Strategies
- Monitor process creation events for child processes spawned by Sourcetree that do not match expected Git-related binaries
- Implement application whitelisting to detect unauthorized executables launched in the context of Sourcetree
- Review Git clone and fetch operations for repositories from untrusted or unknown sources
- Deploy endpoint detection solutions capable of identifying RCE exploitation patterns
Monitoring Recommendations
- Enable enhanced logging for Sourcetree application activity and Git operations
- Configure SIEM alerts for process execution anomalies associated with development tools
- Monitor network traffic from developer workstations for connections to suspicious domains
- Implement file integrity monitoring on directories commonly targeted during code execution attacks
How to Mitigate CVE-2024-21697
Immediate Actions Required
- Upgrade Sourcetree for Mac to version 4.2.9 or later immediately
- Upgrade Sourcetree for Windows to version 3.4.20 or later immediately
- Audit recent repository clone operations from untrusted sources
- Review developer workstations for signs of compromise if vulnerable versions were in use
Patch Information
Atlassian has released patched versions that address this vulnerability:
| Platform | Vulnerable Version | Fixed Version |
|---|---|---|
| macOS | 4.2.8 | 4.2.9 or later |
| Windows | 3.4.19 | 3.4.20 or later |
The latest versions can be downloaded from the Sourcetree Download Archives. For additional details, refer to the Atlassian Security Advisory and the JIRA Issue SRCTREE-8168.
Workarounds
- Restrict Sourcetree usage to cloning repositories only from trusted and verified sources until patching is complete
- Implement network segmentation to limit the blast radius of potential exploitation on developer workstations
- Consider temporarily using alternative Git clients while awaiting patch deployment
- Enable application-level firewall rules to restrict Sourcetree network communications to known Git hosting services
# Verify Sourcetree version on macOS
defaults read /Applications/Sourcetree.app/Contents/Info.plist CFBundleShortVersionString
# Verify Sourcetree version on Windows (PowerShell)
(Get-Item "C:\Program Files (x86)\Atlassian\Sourcetree\SourceTree.exe").VersionInfo.ProductVersion
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
