CVE-2024-45401

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-45401
stripe-cli is a command-line tool for the payment processor Stripe. A vulnerability exists in stripe-cli starting in version 1.11.1 and prior to version 1.21.3 where a plugin package containing a manifest with a malformed plugin shortname installed using the --archive-url or --archive-path flags can overwrite arbitrary files. The update in version 1.21.3 addresses the path traversal vulnerability by removing the ability to install plugins from an archive URL or path. There has been no evidence of exploitation of this vulnerability.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 0.8 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References
Link Resource
https://github.com/stripe/stripe-cli/security/advisories/GHSA-fv4g-gwpj-74gr Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:stripe:stripe_cli:*:*:*:*:*:*:*:*
History

02 Jan 2025, 20:16

Type Values Removed Values Added
CPE cpe:2.3:a:stripe:stripe-cli:*:*:*:*:*:*:*:* cpe:2.3:a:stripe:stripe_cli:*:*:*:*:*:*:*:*
First Time Stripe stripe Cli

19 Dec 2024, 22:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 7.1 		v2 : unknown
v3 : 7.5
References
  • {'url': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H', 'tags': ['Broken Link'], 'source': 'security-advisories@github.com'}

19 Sep 2024, 18:12

Type Values Removed Values Added
CPE cpe:2.3:a:stripe:stripe-cli:*:*:*:*:*:*:*:*
First Time Stripe
Stripe stripe-cli
CVSS v2 : unknown
v3 : 7.5 		v2 : unknown
v3 : 7.1
References () CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H - () CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H - Broken Link
References () https://github.com/stripe/stripe-cli/security/advisories/GHSA-fv4g-gwpj-74gr - () https://github.com/stripe/stripe-cli/security/advisories/GHSA-fv4g-gwpj-74gr - Vendor Advisory

06 Sep 2024, 12:08

Type Values Removed Values Added
Summary
  • (es) stripe-cli es una herramienta de línea de comandos para el procesador de pagos Stripe. Existe una vulnerabilidad en stripe-cli a partir de la versión 1.11.1 y anteriores a la versión 1.21.3, donde un paquete de complemento que contiene un manifiesto con un nombre corto de complemento mal formado instalado usando los indicadores --archive-url o --archive-path puede sobrescribir archivos arbitrarios. La actualización en la versión 1.21.3 soluciona la vulnerabilidad de path traversal al eliminar la capacidad de instalar complementos desde una URL o ruta de archivo. No ha habido evidencia de explotación de esta vulnerabilidad.

05 Sep 2024, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-09-05 18:15

Updated : 2025-01-02 20:16

NVD link : CVE-2024-45401

Mitre link : CVE-2024-45401

CVE.ORG link : CVE-2024-45401

JSON object : View

Products Affected

stripe

  • stripe_cli
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')