7.6

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-45401

GHSA ID

GHSA-fv4g-gwpj-74gr

EPSS Score

0.07601%

CWE

CWE-22

Published

9/5/2024

Updated

11/18/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-45401

CVE-2024-45401: Path traversal vulnerability in stripe-cli

Impact

A vulnerability exists in stripe-cli versions 1.11.1 and higher where a plugin package containing a manifest with a malformed plugin shortname installed using the --archive-url or --archive-path flags can overwrite arbitrary files.

The update addresses the path traversal vulnerability by removing the ability to install plugins from an archive URL or path.

There has been no evidence of exploitation of this vulnerability.

Recommendation

Upgrade to stripe-cli v1.21.3.

Acknowledgements

Thank you to 0xacb and bordiez for reporting this vulnerability.

For more information

Email us at security@stripe.com

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-45401

CVE-2024-45401:

7.6

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-45401

GHSA ID

GHSA-fv4g-gwpj-74gr

EPSS Score

0.07601%

CWE

CWE-22

Published

9/5/2024

Updated

11/18/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/stripe/stripe-cli	go	>= 1.11.1, < 1.21.3	1.21.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from processing plugin archives with malformed shortnames. The key functions would be those responsible for 1) parsing plugin manifests to get the shortname, and 2) using that shortname to determine file paths during installation. Without proper path sanitization (e.g., checking for directory traversal sequences), these functions would allow writing files outside the intended directory. The medium confidence reflects the lack of direct code/patch access, but the description strongly implies these components were involved given the --archive-url/--archive-path attack vector and CWE-22 classification.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.6

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-45401: Path traversal vulnerability in stripe-cli

Impact

Recommendation

Acknowledgements

For more information

CVE-2024-45401:

7.6

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

7.6

7.6

CVE-2024-45401: Path traversal vulnerability in stripe-cli

Impact

Recommendation

Acknowledgements

For more information

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI