Lucene search

GoogleOSV:GHSA-FV4G-GWPJ-74GR

HistorySep 05, 2024 - 4:40 p.m.

Path traversal vulnerability in stripe-cli

2024-09-0516:40:41

Google

osv.dev

stripe-cli

path traversal

vulnerability

upgrade

v1.21.3

CVSS3

7.5

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS

Percentile

11.1%

JSON

Impact

A vulnerability exists in stripe-cli versions 1.11.1 and higher where a plugin package containing a manifest with a malformed plugin shortname installed using the --archive-url or --archive-path flags can overwrite arbitrary files.

The update addresses the path traversal vulnerability by removing the ability to install plugins from an archive URL or path.

There has been no evidence of exploitation of this vulnerability.

Recommendation

Upgrade to stripe-cli v1.21.3.

Acknowledgements

Thank you to 0xacb and bordiez for reporting this vulnerability.

For more information

Email us at [email protected]

References

github.com/stripe/stripe-cli

github.com/stripe/stripe-cli/security/advisories/GHSA-fv4g-gwpj-74gr

nvd.nist.gov/vuln/detail/CVE-2024-45401

CVSS3

7.5

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS

Percentile

11.1%

JSON

Related for OSV:GHSA-FV4G-GWPJ-74GR