There was an argument injection vulnerability in SourceTree for Windows introduced through git-lfs. An attacker could create a malicious repository which, after being cloned in SourceTree for Windows and enabled with git-lfs, is able to exploit this issue to gain code execution on the system.
Affected versions:
Fix
For additional details, see the [full advisory|https://confluence.atlassian.com/display/SOURCETREEKB/SourceTree+for+Windows+Security+Advisory+24th+March+2021]