Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03Z2dtLTRyamctNTk0d84AA8R2
litellm passes untrusted data to `eval` function without sanitization
A remote code execution (RCE) vulnerability exists in the berriai/litellm project due to improper control of the generation of code when using the eval function unsafely in the litellm.get_secret() method. Specifically, when the server utilizes Google KMS, untrusted data is passed to the eval function without any sanitization. Attackers can exploit this vulnerability by injecting malicious values into environment variables through the /config/update endpoint, which allows for the update of settings in proxy_server_config.yaml.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03Z2dtLTRyamctNTk0d84AA8R2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 4 months ago
Updated: 4 months ago
CVSS Score: 7.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-7ggm-4rjg-594w, CVE-2024-4264
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-4264
- https://huntr.com/bounties/a3221b0c-6e25-4295-ab0f-042997e8fc61
- https://github.com/BerriAI/litellm/blob/main/litellm/proxy/proxy_server.py#L2104-L2108
- https://github.com/BerriAI/litellm/blob/main/litellm/proxy/proxy_server.py#L2118
- https://github.com/BerriAI/litellm/blob/main/litellm/proxy/proxy_server.py#L2509-L2517
- https://github.com/BerriAI/litellm/blob/main/litellm/proxy/proxy_server.py#L2562-L2577
- https://github.com/BerriAI/litellm/blob/main/litellm/utils.py#L9867-L9885
- https://github.com/advisories/GHSA-7ggm-4rjg-594w
Blast Radius: 0.0
Affected Packages
pypi:litellm
Dependent packages: 116Dependent repositories: 1
Downloads: 1,408,581 last month
Affected Version Ranges: <= 1.28.11
No known fixed version
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.31, 0.1.32, 0.1.34, 0.1.201, 0.1.202, 0.1.203, 0.1.204, 0.1.205, 0.1.206, 0.1.207, 0.1.208, 0.1.209, 0.1.210, 0.1.211, 0.1.212, 0.1.213, 0.1.214, 0.1.215, 0.1.216, 0.1.217, 0.1.218, 0.1.219, 0.1.220, 0.1.221, 0.1.222, 0.1.223, 0.1.224, 0.1.225, 0.1.226, 0.1.227, 0.1.228, 0.1.229, 0.1.230, 0.1.231, 0.1.232, 0.1.233, 0.1.234, 0.1.235, 0.1.236, 0.1.237, 0.1.238, 0.1.330, 0.1.331, 0.1.341, 0.1.343, 0.1.345, 0.1.347, 0.1.348, 0.1.349, 0.1.351, 0.1.352, 0.1.353, 0.1.354, 0.1.356, 0.1.360, 0.1.361, 0.1.362, 0.1.363, 0.1.364, 0.1.365, 0.1.366, 0.1.367, 0.1.368, 0.1.369, 0.1.370, 0.1.371, 0.1.372, 0.1.373, 0.1.375, 0.1.376, 0.1.379, 0.1.380, 0.1.381, 0.1.383, 0.1.384, 0.1.385, 0.1.386, 0.1.387, 0.1.388, 0.1.389, 0.1.392, 0.1.393, 0.1.394, 0.1.398, 0.1.399, 0.1.400, 0.1.401, 0.1.402, 0.1.403, 0.1.404, 0.1.405, 0.1.408, 0.1.410, 0.1.411, 0.1.412, 0.1.415, 0.1.419, 0.1.420, 0.1.421, 0.1.422, 0.1.424, 0.1.425, 0.1.426, 0.1.429, 0.1.432, 0.1.433, 0.1.434, 0.1.435, 0.1.436, 0.1.437, 0.1.438, 0.1.439, 0.1.440, 0.1.441, 0.1.442, 0.1.443, 0.1.444, 0.1.445, 0.1.446, 0.1.447, 0.1.448, 0.1.449, 0.1.450, 0.1.451, 0.1.452, 0.1.456, 0.1.457, 0.1.459, 0.1.460, 0.1.461, 0.1.464, 0.1.465, 0.1.475, 0.1.477, 0.1.479, 0.1.480, 0.1.481, 0.1.482, 0.1.486, 0.1.487, 0.1.488, 0.1.490, 0.1.491, 0.1.492, 0.1.493, 0.1.494, 0.1.495, 0.1.497, 0.1.500, 0.1.501, 0.1.504, 0.1.507, 0.1.508, 0.1.509, 0.1.510, 0.1.511, 0.1.512, 0.1.516, 0.1.517, 0.1.518, 0.1.520, 0.1.525, 0.1.530, 0.1.531, 0.1.533, 0.1.535, 0.1.536, 0.1.537, 0.1.538, 0.1.544, 0.1.546, 0.1.547, 0.1.548, 0.1.549, 0.1.550, 0.1.551, 0.1.552, 0.1.553, 0.1.554, 0.1.555, 0.1.556, 0.1.557, 0.1.558, 0.1.559, 0.1.560, 0.1.561, 0.1.562, 0.1.563, 0.1.567, 0.1.568, 0.1.569, 0.1.570, 0.1.574, 0.1.578, 0.1.580, 0.1.582, 0.1.583, 0.1.585, 0.1.586, 0.1.587, 0.1.590, 0.1.591, 0.1.593, 0.1.594, 0.1.595, 0.1.596, 0.1.597, 0.1.598, 0.1.600, 0.1.601, 0.1.604, 0.1.605, 0.1.607, 0.1.609, 0.1.610, 0.1.615, 0.1.618, 0.1.619, 0.1.620, 0.1.621, 0.1.623, 0.1.624, 0.1.625, 0.1.626, 0.1.629, 0.1.630, 0.1.631, 0.1.632, 0.1.634, 0.1.635, 0.1.636, 0.1.638, 0.1.639, 0.1.641, 0.1.642, 0.1.643, 0.1.644, 0.1.645, 0.1.646, 0.1.647, 0.1.648, 0.1.649, 0.1.650, 0.1.651, 0.1.652, 0.1.674, 0.1.680, 0.1.681, 0.1.683, 0.1.685, 0.1.686, 0.1.687, 0.1.689, 0.1.690, 0.1.692, 0.1.693, 0.1.696, 0.1.697, 0.1.698, 0.1.700, 0.1.702, 0.1.704, 0.1.706, 0.1.714, 0.1.715, 0.1.716, 0.1.719, 0.1.720, 0.1.721, 0.1.723, 0.1.724, 0.1.729, 0.1.736, 0.1.738, 0.1.743, 0.1.745, 0.1.746, 0.1.747, 0.1.748, 0.1.749, 0.1.750, 0.1.751, 0.1.758, 0.1.765, 0.1.769, 0.1.772, 0.1.774, 0.1.780, 0.1.781, 0.1.784, 0.1.786, 0.1.788, 0.1.789, 0.1.793, 0.1.794, 0.1.805, 0.1.806, 0.1.807, 0.1.813, 0.1.814, 0.1.815, 0.1.816, 0.1.817, 0.1.818, 0.1.819, 0.1.820, 0.1.821, 0.1.824, 0.1.2291, 0.1.7701, 0.1.7713, 0.2.5, 0.2.6, 0.3.0, 0.3.1, 0.4.0, 0.4.4, 0.5.2, 0.5.3, 0.5.4, 0.5.6, 0.6.0, 0.6.1, 0.6.2, 0.6.6, 0.7.1, 0.7.3, 0.7.4, 0.7.5, 0.7.9, 0.7.10, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.9.0, 0.9.1, 0.9.2, 0.10.0, 0.10.1, 0.11.1, 0.12.4, 0.12.5, 0.12.7, 0.12.8, 0.12.9, 0.12.10, 0.12.11, 0.12.12, 0.13.0, 0.13.1, 0.13.2, 0.14.0, 0.14.1, 1.0.0, 1.0.3, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.3.1, 1.3.3, 1.4.0, 1.6.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.7.9, 1.7.11, 1.7.12, 1.7.13, 1.7.14, 1.7.16, 1.7.17, 1.7.18, 1.7.19, 1.7.21, 1.8.1, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.10.6, 1.10.8, 1.10.9, 1.10.10, 1.10.11, 1.11.0, 1.11.1, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.5, 1.12.6, 1.12.7, 1.12.8, 1.12.9, 1.13.1, 1.13.2, 1.14.0, 1.14.1, 1.14.2, 1.14.3, 1.14.4, 1.14.5, 1.14.6, 1.14.7, 1.14.8, 1.14.9, 1.14.10, 1.15.0, 1.15.1, 1.15.2, 1.15.3, 1.15.6, 1.15.7, 1.15.8, 1.15.10, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.16.4, 1.16.5, 1.16.6, 1.16.7, 1.16.8, 1.16.9, 1.16.10, 1.16.11, 1.16.12, 1.16.14, 1.16.15, 1.16.16, 1.16.17, 1.16.18, 1.16.19, 1.16.20, 1.16.21, 1.17.0, 1.17.1, 1.17.2, 1.17.3, 1.17.4, 1.17.5, 1.17.6, 1.17.7, 1.17.8, 1.17.9, 1.17.10, 1.17.12, 1.17.13, 1.17.14, 1.17.15, 1.17.16, 1.17.17, 1.17.18, 1.18.0, 1.18.1, 1.18.2, 1.18.3, 1.18.4, 1.18.5, 1.18.6, 1.18.7, 1.18.8, 1.18.9, 1.18.10, 1.18.11, 1.18.12, 1.18.13, 1.19.0, 1.19.1, 1.19.2, 1.19.3, 1.19.4, 1.19.5, 1.19.6, 1.20.0, 1.20.1, 1.20.2, 1.20.3, 1.20.5, 1.20.6, 1.20.7, 1.20.8, 1.20.9, 1.21.0, 1.21.1, 1.21.4, 1.21.5, 1.21.6, 1.21.7, 1.22.2, 1.22.3, 1.22.5, 1.22.8, 1.22.9, 1.22.10, 1.22.11, 1.23.0, 1.23.1, 1.23.2, 1.23.3, 1.23.4, 1.23.5, 1.23.7, 1.23.8, 1.23.9, 1.23.10, 1.23.12, 1.23.14, 1.23.15, 1.23.16, 1.24.1, 1.24.3, 1.24.5, 1.24.6, 1.25.0, 1.25.1, 1.25.2, 1.26.0, 1.26.1, 1.26.2, 1.26.3, 1.26.4, 1.26.5, 1.26.6, 1.26.7, 1.26.8, 1.26.9, 1.26.10, 1.26.11, 1.26.13, 1.27.1, 1.27.3, 1.27.4, 1.27.6, 1.27.7, 1.27.8, 1.27.9, 1.27.10, 1.27.14, 1.27.15, 1.28.0, 1.28.1, 1.28.2, 1.28.3, 1.28.4, 1.28.6, 1.28.7, 1.28.8, 1.28.9, 1.28.10, 1.28.11