CVE-2024-45401 – github.com/stripe/stripe-cli

Package

Manager: go
Name: github.com/stripe/stripe-cli
Vulnerable Version: >=1.11.1 <1.21.3

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

EPSS: 0.00032 pctl0.07686

Details

Path traversal vulnerability in stripe-cli ### Impact A vulnerability exists in stripe-cli versions 1.11.1 and higher where a plugin package containing a manifest with a malformed plugin shortname installed using the --archive-url or --archive-path flags can overwrite arbitrary files. The update addresses the path traversal vulnerability by removing the ability to install plugins from an archive URL or path. There has been no evidence of exploitation of this vulnerability. ### Recommendation Upgrade to stripe-cli v1.21.3. ### Acknowledgements Thank you to [0xacb](https://hackerone.com/0xacb) and [bordiez](https://hackerone.com/bordiez) for reporting this vulnerability. ### For more information Email us at [security@stripe.com](mailto:security@stripe.com)

Metadata

Created: 2024-09-05T16:40:41Z
Modified: 2024-11-18T16:27:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-fv4g-gwpj-74gr/GHSA-fv4g-gwpj-74gr.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-fv4g-gwpj-74gr
Finding: F063
Auto approve: 1