CVE-2019-14422 Vulnerability

[F&F Technologies]

Good day all.

My organization is trying to use TortoiseSVN as a version control client. In researching, from the user group, it looks as though this may not be accepted as a vulnerability by TortoiseSVN.

The concern is that a macro can be executed which might harm a network. It appears that there are a number of steps to get there.

1. Can someone please advise if this was addressed?

2. If addressed, where might I find documentation on the resolution?

3. If not are there plans to?

4. If no plans requesting explanation why so I can present to organization.

I am hoping to obtain answer by end of day Thursday as I have a meeting to rebut objections.

Thanks.

https://www.cvedetails.com/cve/CVE-2019-14422/

[Daniel Sahlberg]

Please check r28647 of the diff script at https://svn.osdn.net/svnroot/tortoisesvn/trunk/contrib/diff-scripts/, it adds a protection layer by disabling macros:

// disable all macros
objExcelApp.AutomationSecurity = 3; //msoAutomationSecurityForceDisable

Based on the date it seems to be in reaction to the CVE. It should have been included in the 1.13 release, it certainly is included as installed in 1.14.5.

Kind regards,

Daniel

 

[F&F Technologies]

Daniel.

Thank you for the quick response. This definitely helps us to counter the opposition. The objection was a reaction to the CVE being there. The team asking for the software figured there was a fix as it was reported version 1.12.

CA