CVE-2024-5751
CVSS V2 None
CVSS V3 None
Description
BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. The vulnerability exists in the `add_deployment` function, which decodes and decrypts environment variables from base64 and assigns them to `os.environ`. An attacker can exploit this by sending a malicious payload to the `/config/update` endpoint, which is then processed and executed by the server when the `get_secret` function is triggered. This requires the server to use Google KMS and a database to store a model.
Overview
- CVE ID
- CVE-2024-5751
- Assigner
- @huntr_ai
- Vulnerability Status
- PUBLISHED
- Published Version
- 2024-06-27T18:40:49.896Z
- Last Modified Date
- 2024-06-27T18:40:49.896Z
Weakness Enumerations
References
Reference URL | Reference Tags |
---|---|
https://huntr.com/bounties/ae623c2f-b64b-4245-9ed4-f13a0a5824ce |
Sources
Source Name | Source URL |
---|---|
NIST | https://nvd.nist.gov/vuln/detail/CVE-2024-5751 |
MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5751 |
History
Created | Old Value | New Value | Data Type | Notes |
---|---|---|---|---|
2024-06-28 13:09:24 | Added to TrackCVE |