CVE-2024-4890 MEDIUM

CVE-2024-4890: Blind SQL Injection in berriai/litellm

Vendor Berriai
Product berriai/litellm
Weakness CWE-89 · SQLi
Published June 6, 2024
Last update August 1, 2024

CVSS base score

4.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

A blind SQL injection vulnerability exists in the berriai/litellm application, specifically within the '/team/update' process. The vulnerability arises due to the improper handling of the 'user_id' parameter in the raw SQL query used for deleting users. An attacker can exploit this vulnerability by injecting malicious SQL commands through the 'user_id' parameter, leading to potential unauthorized access to sensitive information such as API keys, user information, and tokens stored in the database. The affected version is 1.27.14.

Key dates

02Disclosure timeline

June 6, 2024 CVE published
August 1, 2024 Record updated