stripe-cli is a command-line tool for the payment processor Stripe. A vulnerability exists in stripe-cli starting in version 1.11.1 and prior to version 1.21.3 where a plugin package containing a manifest with a malformed plugin shortname installed using the --archive-url or --archive-path flags can overwrite arbitrary files. The update in version 1.21.3 addresses the path traversal vulnerability by removing the ability to install plugins from an archive URL or path. There has been no evidence of exploitation of this vulnerability.
History

Thu, 19 Dec 2024 22:30:00 +0000

Type Values Removed Values Added
References

Thu, 19 Sep 2024 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Stripe stripe-cli
CPEs cpe:2.3:a:stripe:stripe-cli:*:*:*:*:*:*:*:*
Vendors & Products Stripe stripe-cli

Thu, 05 Sep 2024 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Stripe
Stripe stripe Cli
CPEs cpe:2.3:a:stripe:stripe_cli:*:*:*:*:*:*:*:*
Vendors & Products Stripe
Stripe stripe Cli
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 05 Sep 2024 17:30:00 +0000

Type Values Removed Values Added
Description stripe-cli is a command-line tool for the payment processor Stripe. A vulnerability exists in stripe-cli starting in version 1.11.1 and prior to version 1.21.3 where a plugin package containing a manifest with a malformed plugin shortname installed using the --archive-url or --archive-path flags can overwrite arbitrary files. The update in version 1.21.3 addresses the path traversal vulnerability by removing the ability to install plugins from an archive URL or path. There has been no evidence of exploitation of this vulnerability.
Title stripe-cli Path Traversal vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-09-05T17:09:08.933Z

Updated: 2024-12-19T21:21:42.735Z

Reserved: 2024-08-28T20:21:32.803Z

Link: CVE-2024-45401

cve-icon Vulnrichment

Updated: 2024-09-05T17:42:10.278Z

cve-icon NVD

Status : Modified

Published: 2024-09-05T18:15:06.227

Modified: 2024-12-19T22:15:05.770

Link: CVE-2024-45401

cve-icon Redhat

No data.