Skip to content

SQL injection in litellm

Moderate severity GitHub Reviewed Published Jun 6, 2024 to the GitHub Advisory Database • Updated Jun 6, 2024

Package

pip litellm (pip)

Affected versions

<= 1.27.14

Patched versions

None

Description

A blind SQL injection vulnerability exists in the berriai/litellm application, specifically within the '/team/update' process. The vulnerability arises due to the improper handling of the 'user_id' parameter in the raw SQL query used for deleting users. An attacker can exploit this vulnerability by injecting malicious SQL commands through the 'user_id' parameter, leading to potential unauthorized access to sensitive information such as API keys, user information, and tokens stored in the database. The affected version is 1.27.14.

References

Published by the National Vulnerability Database Jun 6, 2024
Published to the GitHub Advisory Database Jun 6, 2024
Reviewed Jun 6, 2024
Last updated Jun 6, 2024

Severity

Moderate
4.9
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Weaknesses

CVE ID

CVE-2024-4890

GHSA ID

GHSA-8j42-pcfm-3467

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.