CVE-2024-4890 — MEDIUM (4.9)

Vulnerability Description

A blind SQL injection vulnerability exists in the berriai/litellm application, specifically within the '/team/update' process. The vulnerability arises due to the improper handling of the 'user_id' parameter in the raw SQL query used for deleting users. An attacker can exploit this vulnerability by injecting malicious SQL commands through the 'user_id' parameter, leading to potential unauthorized access to sensitive information such as API keys, user information, and tokens stored in the database. The affected version is 1.27.14.

CVSS Score

4.9

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Litellm	Litellm	1.27.14

Related Weaknesses (CWE)

CWE-89

References

https://huntr.com/bounties/a4f6d357-5b44-4e00-9cac-f1cc351211d2ExploitThird Party Advisory
https://huntr.com/bounties/a4f6d357-5b44-4e00-9cac-f1cc351211d2ExploitThird Party Advisory

FAQ

What is CVE-2024-4890?

CVE-2024-4890 is a vulnerability with a CVSS score of 4.9 (MEDIUM). A blind SQL injection vulnerability exists in the berriai/litellm application, specifically within the '/team/update' process. The vulnerability arises due to the improper handling of the 'user_id' pa...

How severe is CVE-2024-4890?

CVE-2024-4890 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-4890?

Check the references section above for vendor advisories and patch information. Affected products include: Litellm Litellm.