CVE-2024-45401

Опубликовано: 05 сент. 2024

Источник: nvd

CVSS3: 7.5

CVSS3: 7.1

EPSS Низкий

Описание

stripe-cli is a command-line tool for the payment processor Stripe. A vulnerability exists in stripe-cli starting in version 1.11.1 and prior to version 1.21.3 where a plugin package containing a manifest with a malformed plugin shortname installed using the --archive-url or --archive-path flags can overwrite arbitrary files. The update in version 1.21.3 addresses the path traversal vulnerability by removing the ability to install plugins from an archive URL or path. There has been no evidence of exploitation of this vulnerability.

Ссылки

https://github.com/stripe/stripe-cli/security/advisories/GHSA-fv4g-gwpj-74gr
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:stripe:stripe_cli:*:*:*:*:*:*:*:*

Версия от 1.11.1 (включая) до 1.21.3 (исключая)

EPSS

Процентиль: 31%

0.00116

Низкий

7.5 High

CVSS3

7.1 High

CVSS3

Дефекты

CWE-22

Связанные уязвимости

GHSA-fv4g-gwpj-74gr

CVSS3: 7.5

github

больше 1 года назад

Path traversal vulnerability in stripe-cli

EPSS

Процентиль: 31%

0.00116

Низкий

7.5 High

CVSS3

7.1 High

CVSS3

Дефекты

CWE-22