{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-45401", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-08-28T20:21:32.803Z", "datePublished": "2024-09-05T17:09:08.933Z", "dateUpdated": "2024-09-05T17:42:19.327Z"}, "containers": {"cna": {"title": "stripe-cli Path Traversal vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/stripe/stripe-cli/security/advisories/GHSA-fv4g-gwpj-74gr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/stripe/stripe-cli/security/advisories/GHSA-fv4g-gwpj-74gr"}, {"name": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "tags": ["x_refsource_MISC"], "url": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"}], "affected": [{"vendor": "stripe", "product": "stripe-cli", "versions": [{"version": ">= 1.11.1, < 1.21.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-05T17:09:08.933Z"}, "descriptions": [{"lang": "en", "value": "stripe-cli is a command-line tool for the payment processor Stripe. A vulnerability exists in stripe-cli starting in version 1.11.1 and prior to version 1.21.3 where a plugin package containing a manifest with a malformed plugin shortname installed using the --archive-url or --archive-path flags can overwrite arbitrary files. The update in version 1.21.3 addresses the path traversal vulnerability by removing the ability to install plugins from an archive URL or path. There has been no evidence of exploitation of this vulnerability."}], "source": {"advisory": "GHSA-fv4g-gwpj-74gr", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "stripe", "product": "stripe_cli", "cpes": ["cpe:2.3:a:stripe:stripe_cli:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.11.1", "status": "affected", "lessThan": "1.21.3", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-05T17:40:17.823166Z", "id": "CVE-2024-45401", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-05T17:42:19.327Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-45401", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-05T17:40:17.823166Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:stripe:stripe_cli:*:*:*:*:*:*:*:*"], "vendor": "stripe", "product": "stripe_cli", "versions": [{"status": "affected", "version": "1.11.1", "lessThan": "1.21.3", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-05T17:42:10.278Z"}}], "cna": {"title": "stripe-cli Path Traversal vulnerability", "source": {"advisory": "GHSA-fv4g-gwpj-74gr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "stripe", "product": "stripe-cli", "versions": [{"status": "affected", "version": ">= 1.11.1, < 1.21.3"}]}], "references": [{"url": "https://github.com/stripe/stripe-cli/security/advisories/GHSA-fv4g-gwpj-74gr", "name": "https://github.com/stripe/stripe-cli/security/advisories/GHSA-fv4g-gwpj-74gr", "tags": ["x_refsource_CONFIRM"]}, {"url": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "name": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "stripe-cli is a command-line tool for the payment processor Stripe. A vulnerability exists in stripe-cli starting in version 1.11.1 and prior to version 1.21.3 where a plugin package containing a manifest with a malformed plugin shortname installed using the --archive-url or --archive-path flags can overwrite arbitrary files. The update in version 1.21.3 addresses the path traversal vulnerability by removing the ability to install plugins from an archive URL or path. There has been no evidence of exploitation of this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-05T17:09:08.933Z"}}}, "cveMetadata": {"cveId": "CVE-2024-45401", "state": "PUBLISHED", "dateUpdated": "2024-09-05T17:42:19.327Z", "dateReserved": "2024-08-28T20:21:32.803Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-09-05T17:09:08.933Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:stripe:stripe-cli:*:*:*:*:*:*:*:*", "matchCriteriaId": "F43365D4-FD7D-470A-9948-88FC4B3DE261", "versionEndExcluding": "1.21.3", "versionStartIncluding": "1.11.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "stripe-cli is a command-line tool for the payment processor Stripe. A vulnerability exists in stripe-cli starting in version 1.11.1 and prior to version 1.21.3 where a plugin package containing a manifest with a malformed plugin shortname installed using the --archive-url or --archive-path flags can overwrite arbitrary files. The update in version 1.21.3 addresses the path traversal vulnerability by removing the ability to install plugins from an archive URL or path. There has been no evidence of exploitation of this vulnerability."}, {"lang": "es", "value": "stripe-cli es una herramienta de l\u00ednea de comandos para el procesador de pagos Stripe. Existe una vulnerabilidad en stripe-cli a partir de la versi\u00f3n 1.11.1 y anteriores a la versi\u00f3n 1.21.3, donde un paquete de complemento que contiene un manifiesto con un nombre corto de complemento mal formado instalado usando los indicadores --archive-url o --archive-path puede sobrescribir archivos arbitrarios. La actualizaci\u00f3n en la versi\u00f3n 1.21.3 soluciona la vulnerabilidad de path traversal al eliminar la capacidad de instalar complementos desde una URL o ruta de archivo. No ha habido evidencia de explotaci\u00f3n de esta vulnerabilidad."}], "id": "CVE-2024-45401", "lastModified": "2024-09-19T18:12:52.220", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-09-05T18:15:06.227", "references": [{"source": "security-advisories@github.com", "tags": ["Broken Link"], "url": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/stripe/stripe-cli/security/advisories/GHSA-fv4g-gwpj-74gr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}