CVE-2024-4890

Name of the Vulnerable Software and Affected Versions berriai/litellm version 1.27.14

Description A blind SQL injection issue exists in the application, specifically within the "/team/update" process. This issue arises due to the improper handling of the user id parameter in the raw SQL query used for deleting users. An attacker can exploit this by injecting malicious SQL commands through the user id parameter, potentially leading to unauthorized access to sensitive information such as API keys, user information, and tokens stored in the database.

Recommendations For version 1.27.14, consider disabling the /team/update process until a patch is available to prevent exploitation. Restrict access to the user id parameter in the affected process to minimize the risk of unauthorized access. Avoid using the user id parameter in the "/team/update" endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.