CVE-2024-45401

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-45401
stripe-cli is a command-line tool for the payment processor Stripe. A vulnerability exists in stripe-cli starting in version 1.11.1 and prior to version 1.21.3 where a plugin package containing a manifest with a malformed plugin shortname installed using the --archive-url or --archive-path flags can overwrite arbitrary files. The update in version 1.21.3 addresses the path traversal vulnerability by removing the ability to install plugins from an archive URL or path. There has been no evidence of exploitation of this vulnerability.

7.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.2

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H Broken Link
https://github.com/stripe/stripe-cli/security/advisories/GHSA-fv4g-gwpj-74gr Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:stripe:stripe-cli:*:*:*:*:*:*:*:*
History

19 Sep 2024, 18:12

Type Values Removed Values Added
References () CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H - () CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H - Broken Link
References () https://github.com/stripe/stripe-cli/security/advisories/GHSA-fv4g-gwpj-74gr - () https://github.com/stripe/stripe-cli/security/advisories/GHSA-fv4g-gwpj-74gr - Vendor Advisory
First Time Stripe
Stripe stripe-cli
CPE cpe:2.3:a:stripe:stripe-cli:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : 7.5 		v2 : unknown
v3 : 7.1

06 Sep 2024, 12:08

Type Values Removed Values Added
Summary
  • (es) stripe-cli es una herramienta de línea de comandos para el procesador de pagos Stripe. Existe una vulnerabilidad en stripe-cli a partir de la versión 1.11.1 y anteriores a la versión 1.21.3, donde un paquete de complemento que contiene un manifiesto con un nombre corto de complemento mal formado instalado usando los indicadores --archive-url o --archive-path puede sobrescribir archivos arbitrarios. La actualización en la versión 1.21.3 soluciona la vulnerabilidad de path traversal al eliminar la capacidad de instalar complementos desde una URL o ruta de archivo. No ha habido evidencia de explotación de esta vulnerabilidad.

05 Sep 2024, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-09-05 18:15

Updated : 2024-09-19 18:12

NVD link : CVE-2024-45401

Mitre link : CVE-2024-45401

CVE.ORG link : CVE-2024-45401

JSON object : View

Products Affected

stripe

  • stripe-cli
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')