SQL Injection Vulnerability in berriai/litellm Repository Affects Latest Version
CVE-2024-5225

7.2HIGH

Key Information:

Vendor: Berriai
Status: Berriai/litellm
Vendor: CVE Published:; 6 June 2024

Summary

An SQL Injection vulnerability is present in the Berriai/Litellm repository, particularly impacting the /global/spend/logs endpoint. This vulnerability emerges from incorrect processing of special elements within SQL commands. It stems from the direct inclusion of an unvalidated api_key parameter into the SQL query, rendering it vulnerable to SQL injection attacks when the api_key contains malicious input. Exploitation of this flaw may allow attackers to gain unauthorized access, manipulate data, expose sensitive information, or trigger denial of service (DoS) conditions. Immediate remediation measures are essential to protect against potential security breaches stemming from this issue.

Affected Version(s)

berriai/litellm <= unspecified

References

https://huntr.com/bounties/491e4884-0306-4cd4-8fe2-9a19de...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 6, 2024
Vulnerability Reserved
May 22, 2024