x/vulndb: potential Go vuln in github.com/stripe/stripe-cli: GHSA-fv4g-gwpj-74gr

[GoVulnBot]

Advisory GHSA-fv4g-gwpj-74gr references a vulnerability in the following Go modules:

Module
github.com/stripe/stripe-cli

Description:

Impact

A vulnerability exists in stripe-cli versions 1.11.1 and higher where a plugin package containing a manifest with a malformed plugin shortname installed using the --archive-url or --archive-path flags can overwrite arbitrary files.

The update addresses the path traversal vulnerability by removing the ability to install plugins from an archive URL or path.

There has been no evidence of exploitation of this vulnerability.

Recommendation

Upgrade to stripe-cli v1.21.3.

For more information

Email us at security@stripe.com

References:

• ADVISORY: GHSA-fv4g-gwpj-74gr
• ADVISORY: GHSA-fv4g-gwpj-74gr

Cross references:

• github.com/stripe/stripe-cli appears in 1 other report(s):
  • data/reports/GO-2022-0350.yaml (x/vulndb: potential Go vuln in github.com/stripe/stripe-cli: CVE-2022-24753 #350)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/stripe/stripe-cli
      versions:
        - introduced: 1.11.1
        - fixed: 1.21.3
      vulnerable_at: 1.21.2
summary: Path traversal vulnerability in stripe-cli in github.com/stripe/stripe-cli
cves:
    - CVE-2024-45401
ghsas:
    - GHSA-fv4g-gwpj-74gr
references:
    - advisory: https://github.com/advisories/GHSA-fv4g-gwpj-74gr
    - advisory: https://github.com/stripe/stripe-cli/security/advisories/GHSA-fv4g-gwpj-74gr
source:
    id: GHSA-fv4g-gwpj-74gr
    created: 2024-09-05T17:01:28.336282828Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/610804 mentions this issue: data/reports: add 8 unreviewed reports