An SQL Injection vulnerability exists in the berriai/litellm repository, specifically within the `/global/spend/logs` endpoint. The vulnerability arises due to improper neutralization of special elements used in an SQL command. The affected code constructs an SQL query by concatenating an unvalidated `api_key` parameter directly into the query, making it susceptible to SQL Injection if the `api_key` contains malicious data. This issue affects the latest version of the repository. Successful exploitation of this vulnerability could lead to unauthorized access, data manipulation, exposure of confidential information, and denial of service (DoS).
References
Link | Resource |
---|---|
https://huntr.com/bounties/491e4884-0306-4cd4-8fe2-9a19de33bf5c | Exploit Third Party Advisory |
Configurations
History
23 Sep 2024, 19:46
Type | Values Removed | Values Added |
---|---|---|
References | () https://huntr.com/bounties/491e4884-0306-4cd4-8fe2-9a19de33bf5c - Exploit, Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.2 |
CPE | cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:* | |
First Time |
Litellm litellm
Litellm |
07 Jun 2024, 14:56
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
06 Jun 2024, 19:16
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-06-06 19:16
Updated : 2024-09-23 19:46
NVD link : CVE-2024-5225
Mitre link : CVE-2024-5225
CVE.ORG link : CVE-2024-5225
JSON object : View
Products Affected
litellm
- litellm
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')