August 13, a researcher vxrl vulnerability lab released the TortoiseSVN Remote Code Execution Vulnerability (CVE-2019-14422). The flaw caused by the URI TortoiseSVN handler (Tsvncmd :), the processing program allows customized diff operations on Excel workbook, these operations can be used to remotely open the workbook are not protected by macro security setting, resulting in arbitrary code carried out. An attacker could take advantage of this feature by placing a network drive macro virus, forcing the victim to open a workbook and execute a macro virus. This vulnerability can be triggered by a specially crafted URL accessed using a Web browser.
Affected versions
- TortoiseSVN Version <= 1.12.1
Unaffected version
- TortoiseSVN Version == 1.12.2
Solution
At present, it has released the official version v1.12.2 to fix this vulnerability. Download an upgraded version of TortoiseSVN is recommended as soon as possible.