CVE-2024-4890: SQL injection in litellm

June 6, 2024

A blind SQL injection vulnerability exists in the berriai/litellm application, specifically within the ‘/team/update’ process. The vulnerability arises due to the improper handling of the ‘user_id’ parameter in the raw SQL query used for deleting users. An attacker can exploit this vulnerability by injecting malicious SQL commands through the ‘user_id’ parameter, leading to potential unauthorized access to sensitive information such as API keys, user information, and tokens stored in the database. The affected version is 1.27.14.

References

github.com/BerriAI/litellm
github.com/BerriAI/litellm/pull/2954
github.com/advisories/GHSA-8j42-pcfm-3467
huntr.com/bounties/a4f6d357-5b44-4e00-9cac-f1cc351211d2
nvd.nist.gov/vuln/detail/CVE-2024-4890

Code Behaviors & Features

Detect and mitigate CVE-2024-4890 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →