On August 13, a researcher from the vxrl vulnerability-lab published a remote code execution vulnerability (CVE-2019-14422) found in TortoiseSVN. The vulnerability is caused by TortoiseSVN’s URI handler (Tsvncmd:) which allows custom diff operations on Excel workbooks, which may be used to open remote workbooks without being protected by macro security settings, resulting in arbitrary code execution. An attacker could take advantage of this by placing a macro virus in the network drive, forcing the victim to open the workbook and execute the macro virus. The vulnerability can be triggered by accessing a specially crafted URL with a web browser.
- TortoiseSVN Version <= 1.12.1
- TortoiseSVN Version == 1.12.2
Currently, the official version of v1.12.2 has been released to fix the vulnerability. It is recommended to download the TortoiseSVN upgrade as soon as possible.