Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cvelist@huntr_aiCVELIST:CVE-2024-4264
HistoryMay 18, 2024 - 12:00 a.m.

CVE-2024-4264 Remote Code Execution in berriai/litellm

2024-05-1800:00:15
CWE-94
@huntr_ai
raw.githubusercontent.com
7
remote code execution
vulnerability
berriai/litellm
google kms
environment variables
endpoint
proxy server config.

9.8 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

8.7%

JSON

A remote code execution (RCE) vulnerability exists in the berriai/litellm project due to improper control of the generation of code when using the eval function unsafely in the litellm.get_secret() method. Specifically, when the server utilizes Google KMS, untrusted data is passed to the eval function without any sanitization. Attackers can exploit this vulnerability by injecting malicious values into environment variables through the /config/update endpoint, which allows for the update of settings in proxy_server_config.yaml.

Related

veracode 1
cve 1
github 1
osv 1
veracode
veracode
Code Injection
2024-05-23 07:39:03
cve
cve
CVE-2024-4264
2024-05-18 00:15:07
github
github
litellm passes untrusted data to `eval` function without sanitization
2024-05-18 00:30:42
osv
osv
litellm passes untrusted data to `eval` function without sanitization
2024-05-18 00:30:42

9.8 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

8.7%

JSON
Related for CVELIST:CVE-2024-4264
veracode1cve1github1osv1