Stripe CLI vulnerability: Attackers can overwrite arbitrary files with malformed plugin
CVE-2024-45401

7.1HIGH

Key Information:

Vendor
Stripe
Status
Stripe-cli
Vendor
CVE Published:
5 September 2024

Summary

The vulnerability in the Stripe CLI tool allows attackers to exploit a path traversal issue through the installation of a plugin package with a malformed shortname. This occurs when the flags --archive-url or --archive-path are used, potentially leading to the overwriting of arbitrary files on the affected system. The vulnerability affects versions of stripe-cli from 1.11.1 up to, but not including, 1.21.3. Notably, the latest version, 1.21.3, mitigates this risk by preventing the installation of plugins from archive URLs or paths. While there have been no reported instances of exploitation, organizations using affected versions are advised to upgrade to the latest version to ensure their systems are secure.

References

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.