Stripe CLI vulnerability: Attackers can overwrite arbitrary files with malformed plugin
CVE-2024-45401

7.1HIGH

Key Information:

Vendor: Stripe
Status: Stripe-cli
Vendor: CVE Published:; 5 September 2024

What is CVE-2024-45401?

The vulnerability in the Stripe CLI tool allows attackers to exploit a path traversal issue through the installation of a plugin package with a malformed shortname. This occurs when the flags --archive-url or --archive-path are used, potentially leading to the overwriting of arbitrary files on the affected system. The vulnerability affects versions of stripe-cli from 1.11.1 up to, but not including, 1.21.3. Notably, the latest version, 1.21.3, mitigates this risk by preventing the installation of plugins from archive URLs or paths. While there have been no reported instances of exploitation, organizations using affected versions are advised to upgrade to the latest version to ensure their systems are secure.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://github.com/stripe/stripe-cli/security/advisories/...

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 5, 2024

JSON

Stripe

What is CVE-2024-45401?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.