CVE-2024-5751 : BERRIAI LITELLM UP TO 1.35.8 ENVIRONMENT VARIABLE ADD_DEPLOYMENT CODE INJECTION - Cloud WAF

Free Trial

CVE-2024-5751 : BERRIAI LITELLM UP TO 1.35.8 ENVIRONMENT VARIABLE ADD_DEPLOYMENT CODE INJECTION

Description

BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. The vulnerability exists in the `add_deployment` function, which decodes and decrypts environment variables from base64 and assigns them to `os.environ`. An attacker can exploit this by sending a malicious payload to the `/config/update` endpoint, which is then processed and executed by the server when the `get_secret` function is triggered. This requires the server to use Google KMS and a database to store a model.

References

https://huntr.com/bounties/ae623c2f-b64b-4245-9ed4-f13a0a5824ce

For More Information

Contact us to get started

CVE-2024-5822 : GAIZHENBIAO CHUANHUCHATGPT UP TO 20240410 SERVER-SIDE REQUEST FORGERY

CVE-2024-5822 : GAIZHENBIAO CHUANHUCHATGPT UP TO 20240410 SERVER-SIDE REQUEST FORGERY

Description A Server-Side Request Forgery (SSRF) vulnerability exists in the upload processing interface of gaizhenbiao/ChuanhuChatGPT versions

Learn more

CVE-2024-5980 : LIGHTNING-AI PYTORCH-LIGHTNING UP TO 2.2.4 API ENDPOINT /V1/RUNS UNRESTRICTED UPLOAD

CVE-2024-5980 : LIGHTNING-AI PYTORCH-LIGHTNING UP TO 2.2.4 API ENDPOINT /V1/RUNS UNRESTRICTED UPLOAD

Description A vulnerability in the /v1/runs API endpoint of lightning-ai/pytorch-lightning v2.2.4 allows attackers to exploit path traversal when extracting tar.gz

Learn more

CVE-2024-5751 : BERRIAI LITELLM UP TO 1.35.8 ENVIRONMENT VARIABLE ADD_DEPLOYMENT CODE INJECTION

CVE-2024-5751 : BERRIAI LITELLM UP TO 1.35.8 ENVIRONMENT VARIABLE ADD_DEPLOYMENT CODE INJECTION

Description BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. The vulnerability exists in the

Learn more