Lucene search

Veracode Vulnerability DatabaseVERACODE:47450

HistoryJun 10, 2024 - 2:31 p.m.

SQL Injection

2024-06-1014:31:47

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

sql injection

api key

unauthorized access

data manipulation

confidential information

denial of service

vulnerability

software

6.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

7.3 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

litellm is vulnerable to SQL Injection. The vulnerability is due to improper neutralization of special elements in an SQL command within the /global/spend/logs endpoint, where the api_key parameter is concatenated directly into the query without validation. Successful exploitation could lead to unauthorized access, data manipulation, exposure of confidential information, and denial of service (DoS).

CPENameOperatorVersion
litellmle1.40.0.dev1
litellmle1.40.0.dev1

CPE	Name	Operator	Version
	litellm	le	1.40.0.dev1
	litellm	le	1.40.0.dev1

References

github.com/advisories/GHSA-h6m6-jj8v-94jj

github.com/BerriAI/litellm/commit/f75c15d6cd535aa78014378ad532de1df6be2f56

github.com/BerriAI/litellm/pull/3940

huntr.com/bounties/491e4884-0306-4cd4-8fe2-9a19de33bf5c

6.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

7.3 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for VERACODE:47450