The embedded version of [Git LFS|https://git-lfs.github.com] used in Sourcetree for macOS was vulnerable to CVE-2017-17831. An attacker can exploit this issue if they can commit to a git repository linked in Sourcetree for macOS by adding a .lfsconfig file containing a malicious lfs url, allowing them to execute arbitrary code on systems running a vulnerable version of Sourcetree for macOS. This vulnerability can also be triggered from a web page through the use of the Sourcetree URI handler.
Affected versions:
Fix:
For additional details see the [full advisory|https://confluence.atlassian.com/x/lIIyO].