CVE-2024-4264
9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A remote code execution (RCE) vulnerability exists in the berriai/litellm project due to improper control of the generation of code when using the eval function unsafely in the litellm.get_secret() method. Specifically, when the server utilizes Google KMS, untrusted data is passed to the eval function without any sanitization. Attackers can exploit this vulnerability by injecting malicious values into environment variables through the /config/update endpoint, which allows for the update of settings in proxy_server_config.yaml.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| berriai | berriai/litellm | unspecified <= latest | affected |
Weaknesses
- CWE-94: CWE-94 Improper Control of Generation of Code
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.