A blind SQL injection vulnerability exists in the berriai/litellm application, specifically within the '/team/update' process. The vulnerability arises due to the improper handling of the 'user_id' parameter in the raw SQL query used for deleting users. An attacker can exploit this vulnerability by injecting malicious SQL commands through the 'user_id' parameter, leading to potential unauthorized access to sensitive information such as API keys, user information, and tokens stored in the database. The affected version is 1.27.14.
History

Thu, 10 Oct 2024 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Litellm
Litellm litellm
CPEs cpe:2.3:a:litellm:litellm:1.27.14:*:*:*:*:*:*:*
Vendors & Products Litellm
Litellm litellm
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-06-06T18:23:49.593Z

Updated: 2024-08-01T20:55:10.325Z

Reserved: 2024-05-14T22:59:45.190Z

Link: CVE-2024-4890

cve-icon Vulnrichment

Updated: 2024-08-01T20:55:10.325Z

cve-icon NVD

Status : Modified

Published: 2024-06-06T19:16:03.630

Modified: 2024-11-21T09:43:48.113

Link: CVE-2024-4890

cve-icon Redhat

No data.