BerriAI's litellm, in its latest version, is vulnerable to arbitrary file deletion due to improper input validation on the `/audio/transcriptions` endpoint. An attacker can exploit this vulnerability by sending a specially crafted request that includes a file path to the server, which then deletes the specified file without proper authorization or validation. This vulnerability is present in the code where `os.remove(file.filename)` is used to delete a file, allowing any user to delete critical files on the server such as SSH keys, SQLite databases, or configuration files.
References
Configurations
No configuration.
History
07 Jun 2024, 14:56
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
06 Jun 2024, 19:16
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-06-06 19:16
Updated : 2024-06-07 14:56
NVD link : CVE-2024-4888
Mitre link : CVE-2024-4888
CVE.ORG link : CVE-2024-4888
JSON object : View
Products Affected
No product.
CWE
CWE-20
Improper Input Validation