Stripe CLI vulnerability: Attackers can overwrite arbitrary files with malformed plugin
CVE-2024-45401
7.1HIGH
Key Information:
- Vendor
- Stripe
- Status
- Stripe-cli
- Vendor
- CVE Published:
- 5 September 2024
Summary
The vulnerability in the Stripe CLI tool allows attackers to exploit a path traversal issue through the installation of a plugin package with a malformed shortname. This occurs when the flags --archive-url or --archive-path are used, potentially leading to the overwriting of arbitrary files on the affected system. The vulnerability affects versions of stripe-cli from 1.11.1 up to, but not including, 1.21.3. Notably, the latest version, 1.21.3, mitigates this risk by preventing the installation of plugins from archive URLs or paths. While there have been no reported instances of exploitation, organizations using affected versions are advised to upgrade to the latest version to ensure their systems are secure.
References
CVSS V3.1
Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published