CVE-2024-5225 SQL Injection in berriai/litellm

2024-06-0618:19:48

CWE-89

@huntr_ai

www.cve.org

sql injection

berriai/litellm

/global/spend/logs

sql command

api key

unauthorized access

data manipulation

confidential information

denial of service

6.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

9.0%

JSON

An SQL Injection vulnerability exists in the berriai/litellm repository, specifically within the /global/spend/logs endpoint. The vulnerability arises due to improper neutralization of special elements used in an SQL command. The affected code constructs an SQL query by concatenating an unvalidated api_key parameter directly into the query, making it susceptible to SQL Injection if the api_key contains malicious data. This issue affects the latest version of the repository. Successful exploitation of this vulnerability could lead to unauthorized access, data manipulation, exposure of confidential information, and denial of service (DoS).

CNA Affected

[
  {
    "vendor": "berriai",
    "product": "berriai/litellm",
    "versions": [
      {
        "version": "unspecified",
        "status": "affected",
        "versionType": "custom",
        "lessThanOrEqual": "latest"
      }
    ]
  }
]