BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. The vulnerability exists in the `add_deployment` function, which decodes and decrypts environment variables from base64 and assigns them to `os.environ`. An attacker can exploit this by sending a malicious payload to the `/config/update` endpoint, which is then processed and executed by the server when the `get_secret` function is triggered. This requires the server to use Google KMS and a database to store a model.
References
Link | Resource |
---|---|
https://huntr.com/bounties/ae623c2f-b64b-4245-9ed4-f13a0a5824ce | Third Party Advisory |
Configurations
History
20 Sep 2024, 18:01
Type | Values Removed | Values Added |
---|---|---|
References | () https://huntr.com/bounties/ae623c2f-b64b-4245-9ed4-f13a0a5824ce - Third Party Advisory | |
CPE | cpe:2.3:a:litellm:litellm:1.35.8:*:*:*:*:*:*:* | |
First Time |
Litellm litellm
Litellm |
|
Summary |
|
27 Jun 2024, 19:25
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-06-27 19:15
Updated : 2024-09-20 18:01
NVD link : CVE-2024-5751
Mitre link : CVE-2024-5751
CVE.ORG link : CVE-2024-5751
JSON object : View
Products Affected
litellm
- litellm
CWE
CWE-94
Improper Control of Generation of Code ('Code Injection')