CVE-2024-45401 (GCVE-0-2024-45401)

Vulnerability from cvelistv5 – Published: 2024-09-05 17:09 – Updated: 2024-12-19 21:21
VLAI?
Title
stripe-cli Path Traversal vulnerability
Summary
stripe-cli is a command-line tool for the payment processor Stripe. A vulnerability exists in stripe-cli starting in version 1.11.1 and prior to version 1.21.3 where a plugin package containing a manifest with a malformed plugin shortname installed using the --archive-url or --archive-path flags can overwrite arbitrary files. The update in version 1.21.3 addresses the path traversal vulnerability by removing the ability to install plugins from an archive URL or path. There has been no evidence of exploitation of this vulnerability.
Severity ?
7.6 (High)
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
CWE
  • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
Vendor Product Version
stripe stripe-cli Affected: >= 1.11.1, < 1.21.3
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:stripe:stripe_cli:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "stripe_cli",
            "vendor": "stripe",
            "versions": [
              {
                "lessThan": "1.21.3",
                "status": "affected",
                "version": "1.11.1",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-45401",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-05T17:40:17.823166Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-05T17:42:19.327Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "stripe-cli",
          "vendor": "stripe",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.11.1, \u003c 1.21.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "stripe-cli is a command-line tool for the payment processor Stripe. A vulnerability exists in stripe-cli starting in version 1.11.1 and prior to version 1.21.3 where a plugin package containing a manifest with a malformed plugin shortname installed using the --archive-url or --archive-path flags can overwrite arbitrary files. The update in version 1.21.3 addresses the path traversal vulnerability by removing the ability to install plugins from an archive URL or path. There has been no evidence of exploitation of this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T21:21:42.735Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/stripe/stripe-cli/security/advisories/GHSA-fv4g-gwpj-74gr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/stripe/stripe-cli/security/advisories/GHSA-fv4g-gwpj-74gr"
        }
      ],
      "source": {
        "advisory": "GHSA-fv4g-gwpj-74gr",
        "discovery": "UNKNOWN"
      },
      "title": "stripe-cli Path Traversal vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-45401",
    "datePublished": "2024-09-05T17:09:08.933Z",
    "dateReserved": "2024-08-28T20:21:32.803Z",
    "dateUpdated": "2024-12-19T21:21:42.735Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-45401",
      "date": "2026-04-26",
      "epss": "0.00116",
      "percentile": "0.30043"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:stripe:stripe_cli:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.11.1\", \"versionEndExcluding\": \"1.21.3\", \"matchCriteriaId\": \"FBE2DD29-3585-4A0D-9009-D804A564327C\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"stripe-cli is a command-line tool for the payment processor Stripe. A vulnerability exists in stripe-cli starting in version 1.11.1 and prior to version 1.21.3 where a plugin package containing a manifest with a malformed plugin shortname installed using the --archive-url or --archive-path flags can overwrite arbitrary files. The update in version 1.21.3 addresses the path traversal vulnerability by removing the ability to install plugins from an archive URL or path. There has been no evidence of exploitation of this vulnerability.\"}, {\"lang\": \"es\", \"value\": \"stripe-cli es una herramienta de l\\u00ednea de comandos para el procesador de pagos Stripe. Existe una vulnerabilidad en stripe-cli a partir de la versi\\u00f3n 1.11.1 y anteriores a la versi\\u00f3n 1.21.3, donde un paquete de complemento que contiene un manifiesto con un nombre corto de complemento mal formado instalado usando los indicadores --archive-url o --archive-path puede sobrescribir archivos arbitrarios. La actualizaci\\u00f3n en la versi\\u00f3n 1.21.3 soluciona la vulnerabilidad de path traversal al eliminar la capacidad de instalar complementos desde una URL o ruta de archivo. No ha habido evidencia de explotaci\\u00f3n de esta vulnerabilidad.\"}]",
      "id": "CVE-2024-45401",
      "lastModified": "2025-01-02T20:16:12.107",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 0.8, \"impactScore\": 6.0}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H\", \"baseScore\": 7.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.2}]}",
      "published": "2024-09-05T18:15:06.227",
      "references": "[{\"url\": \"https://github.com/stripe/stripe-cli/security/advisories/GHSA-fv4g-gwpj-74gr\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-45401\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-09-05T18:15:06.227\",\"lastModified\":\"2025-01-02T20:16:12.107\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"stripe-cli is a command-line tool for the payment processor Stripe. A vulnerability exists in stripe-cli starting in version 1.11.1 and prior to version 1.21.3 where a plugin package containing a manifest with a malformed plugin shortname installed using the --archive-url or --archive-path flags can overwrite arbitrary files. The update in version 1.21.3 addresses the path traversal vulnerability by removing the ability to install plugins from an archive URL or path. There has been no evidence of exploitation of this vulnerability.\"},{\"lang\":\"es\",\"value\":\"stripe-cli es una herramienta de l\u00ednea de comandos para el procesador de pagos Stripe. Existe una vulnerabilidad en stripe-cli a partir de la versi\u00f3n 1.11.1 y anteriores a la versi\u00f3n 1.21.3, donde un paquete de complemento que contiene un manifiesto con un nombre corto de complemento mal formado instalado usando los indicadores --archive-url o --archive-path puede sobrescribir archivos arbitrarios. La actualizaci\u00f3n en la versi\u00f3n 1.21.3 soluciona la vulnerabilidad de path traversal al eliminar la capacidad de instalar complementos desde una URL o ruta de archivo. No ha habido evidencia de explotaci\u00f3n de esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.8,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:stripe:stripe_cli:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.11.1\",\"versionEndExcluding\":\"1.21.3\",\"matchCriteriaId\":\"FBE2DD29-3585-4A0D-9009-D804A564327C\"}]}]}],\"references\":[{\"url\":\"https://github.com/stripe/stripe-cli/security/advisories/GHSA-fv4g-gwpj-74gr\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-45401\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-05T17:40:17.823166Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:stripe:stripe_cli:*:*:*:*:*:*:*:*\"], \"vendor\": \"stripe\", \"product\": \"stripe_cli\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.11.1\", \"lessThan\": \"1.21.3\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-05T17:42:10.278Z\"}}], \"cna\": {\"title\": \"stripe-cli Path Traversal vulnerability\", \"source\": {\"advisory\": \"GHSA-fv4g-gwpj-74gr\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 7.6, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"stripe\", \"product\": \"stripe-cli\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 1.11.1, \u003c 1.21.3\"}]}], \"references\": [{\"url\": \"https://github.com/stripe/stripe-cli/security/advisories/GHSA-fv4g-gwpj-74gr\", \"name\": \"https://github.com/stripe/stripe-cli/security/advisories/GHSA-fv4g-gwpj-74gr\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"stripe-cli is a command-line tool for the payment processor Stripe. A vulnerability exists in stripe-cli starting in version 1.11.1 and prior to version 1.21.3 where a plugin package containing a manifest with a malformed plugin shortname installed using the --archive-url or --archive-path flags can overwrite arbitrary files. The update in version 1.21.3 addresses the path traversal vulnerability by removing the ability to install plugins from an archive URL or path. There has been no evidence of exploitation of this vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-12-19T21:21:42.735Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-45401\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-19T21:21:42.735Z\", \"dateReserved\": \"2024-08-28T20:21:32.803Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-09-05T17:09:08.933Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.