Vulnerability-Lookup

GHSA-FV4G-GWPJ-74GR

Vulnerability from github – Published: 2024-09-05 16:40 – Updated: 2024-11-18 16:27

Summary

Path traversal vulnerability in stripe-cli

Details

Impact

A vulnerability exists in stripe-cli versions 1.11.1 and higher where a plugin package containing a manifest with a malformed plugin shortname installed using the --archive-url or --archive-path flags can overwrite arbitrary files.

The update addresses the path traversal vulnerability by removing the ability to install plugins from an archive URL or path.

There has been no evidence of exploitation of this vulnerability.

Recommendation

Upgrade to stripe-cli v1.21.3.

Acknowledgements

Thank you to 0xacb and bordiez for reporting this vulnerability.

For more information

Email us at security@stripe.com

Severity

7.5 (High)


                  
                    CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

2.4 (Low)


                  
                    CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/stripe/stripe-cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.11.1"
            },
            {
              "fixed": "1.21.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-45401"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-05T16:40:41Z",
    "nvd_published_at": "2024-09-05T18:15:06Z",
    "severity": "LOW"
  },
  "details": "### Impact\nA vulnerability exists in stripe-cli versions 1.11.1 and higher where a plugin package containing a manifest with a malformed plugin shortname installed using the --archive-url or --archive-path flags can overwrite arbitrary files.\n\nThe update addresses the path traversal vulnerability by removing the ability to install plugins from an archive URL or path.\n\nThere has been no evidence of exploitation of this vulnerability.\n\n### Recommendation\nUpgrade to stripe-cli v1.21.3.\n\n### Acknowledgements\nThank you to [0xacb](https://hackerone.com/0xacb) and [bordiez](https://hackerone.com/bordiez) for reporting this vulnerability.\n\n### For more information\nEmail us at [security@stripe.com](mailto:security@stripe.com)",
  "id": "GHSA-fv4g-gwpj-74gr",
  "modified": "2024-11-18T16:27:10Z",
  "published": "2024-09-05T16:40:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/stripe/stripe-cli/security/advisories/GHSA-fv4g-gwpj-74gr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45401"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/stripe/stripe-cli"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Path traversal vulnerability in stripe-cli "
}

CVE-2024-45401 (GCVE-0-2024-45401)

Vulnerability from cvelistv5 – Published: 2024-09-05 17:09 – Updated: 2024-12-19 21:21

Title

stripe-cli Path Traversal vulnerability

Summary

stripe-cli is a command-line tool for the payment processor Stripe. A vulnerability exists in stripe-cli starting in version 1.11.1 and prior to version 1.21.3 where a plugin package containing a manifest with a malformed plugin shortname installed using the --archive-url or --archive-path flags can overwrite arbitrary files. The update in version 1.21.3 addresses the path traversal vulnerability by removing the ability to install plugins from an archive URL or path. There has been no evidence of exploitation of this vulnerability.

Severity

7.6 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/stripe/stripe-cli/security/adv…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
stripe	stripe-cli	Affected: >= 1.11.1, < 1.21.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:stripe:stripe_cli:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "stripe_cli",
            "vendor": "stripe",
            "versions": [
              {
                "lessThan": "1.21.3",
                "status": "affected",
                "version": "1.11.1",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-45401",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-05T17:40:17.823166Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-05T17:42:19.327Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "stripe-cli",
          "vendor": "stripe",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.11.1, \u003c 1.21.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "stripe-cli is a command-line tool for the payment processor Stripe. A vulnerability exists in stripe-cli starting in version 1.11.1 and prior to version 1.21.3 where a plugin package containing a manifest with a malformed plugin shortname installed using the --archive-url or --archive-path flags can overwrite arbitrary files. The update in version 1.21.3 addresses the path traversal vulnerability by removing the ability to install plugins from an archive URL or path. There has been no evidence of exploitation of this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T21:21:42.735Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/stripe/stripe-cli/security/advisories/GHSA-fv4g-gwpj-74gr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/stripe/stripe-cli/security/advisories/GHSA-fv4g-gwpj-74gr"
        }
      ],
      "source": {
        "advisory": "GHSA-fv4g-gwpj-74gr",
        "discovery": "UNKNOWN"
      },
      "title": "stripe-cli Path Traversal vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-45401",
    "datePublished": "2024-09-05T17:09:08.933Z",
    "dateReserved": "2024-08-28T20:21:32.803Z",
    "dateUpdated": "2024-12-19T21:21:42.735Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted