Vulnerabilities > CVE-2024-4890 - Unspecified vulnerability in Litellm 1.27.14

CVSS 4.9 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

HIGH

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

litellm

NVD

Published: 2024-06-06

Updated: 2024-11-21

Summary

A blind SQL injection vulnerability exists in the berriai/litellm application, specifically within the '/team/update' process. The vulnerability arises due to the improper handling of the 'user_id' parameter in the raw SQL query used for deleting users. An attacker can exploit this vulnerability by injecting malicious SQL commands through the 'user_id' parameter, leading to potential unauthorized access to sensitive information such as API keys, user information, and tokens stored in the database. The affected version is 1.27.14.

Vulnerable Configurations

Part	Description	Count
Application	Litellm Litellm Litellm 1.27.14	1

References

https://huntr.com/bounties/a4f6d357-5b44-4e00-9cac-f1cc351211d2
https://huntr.com/bounties/a4f6d357-5b44-4e00-9cac-f1cc351211d2