CVE-2024-4889

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-4889
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-4889.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-4889
Published
2024-06-06T18:15:18Z
Modified
2025-02-14T11:55:32.916457Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A code injection vulnerability exists in the berriai/litellm application, version 1.34.6, due to the use of unvalidated input in the eval function within the secret management system. This vulnerability requires a valid Google KMS configuration file to be exploitable. Specifically, by setting the UI_LOGO_PATH variable to a remote server address in the get_image function, an attacker can write a malicious Google KMS configuration file to the cached_logo.jpg file. This file can then be used to execute arbitrary code by assigning malicious code to the SAVE_CONFIG_TO_DB environment variable, leading to full system control. The vulnerability is contingent upon the use of the Google KMS feature.

References

Affected packages

Git / github.com/berriai/litellm

Affected ranges

Type
GIT
Repo
https://github.com/berriai/litellm
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
be3c7b401ef69297247fa56aa8ff07549e3451b2

Affected versions

1.*

1.16.12
1.16.13
1.16.14
1.34.2
1.34.20-stable
1.34.28.dev3
1.34.35-stable
1.34.39.dev1
1.34.40.dev1
1.35.1.dev1
1.35.13.dev1
1.35.19.dev1
1.35.24.dev6
1.35.26.dev3
1.35.33.dev4
1.35.36
1.35.36.dev1
1.35.5.dev2
1.40.3.dev2
1.40.8.dev1
1.41.11.dev5
1.41.12.dev1
1.41.14.dev15
1.44.6

Other

latest
pr-litellm-spend-logs-db
stable
test

v.*

v.1.32.34-stable

v0.*

v0.1.387
v0.1.492
v0.1.574
v0.1.738
v0.11.1
v0.8.4

v1.*

v1.1.0
v1.10.4
v1.11.1
v1.15.0
v1.15.5
v1.16-test2
v1.16-test3
v1.16-test4
v1.16.13
v1.16.15
v1.16.16
v1.16.17
v1.16.17-test
v1.16.17-test2
v1.16.17-test3
v1.16.18
v1.16.19
v1.16.20
v1.16.20.dev1
v1.16.20.dev3
v1.16.21
v1.16.3
v1.16.6
v1.17.0
v1.17.1
v1.17.10
v1.17.12
v1.17.13
v1.17.14
v1.17.15
v1.17.16
v1.17.17
v1.17.18
v1.17.2
v1.17.3
v1.17.4
v1.17.5
v1.17.6
v1.17.7
v1.17.8
v1.17.9
v1.18.0
v1.18.1
v1.18.10
v1.18.11
v1.18.12
v1.18.13
v1.18.2
v1.18.3
v1.18.4
v1.18.5
v1.18.6
v1.18.7
v1.18.8
v1.18.9
v1.19.0
v1.19.2
v1.19.3
v1.19.4
v1.19.6
v1.20.0
v1.20.1
v1.20.2
v1.20.3
v1.20.5
v1.20.6
v1.20.7
v1.20.8
v1.20.9
v1.21.0
v1.21.1
v1.21.4
v1.21.5
v1.21.6
v1.21.7
v1.22.10
v1.22.11
v1.22.2
v1.22.3
v1.22.5
v1.22.8
v1.22.9
v1.23.0
v1.23.1
v1.23.10
v1.23.12
v1.23.14
v1.23.15
v1.23.16
v1.23.2
v1.23.3
v1.23.4
v1.23.5
v1.23.7
v1.23.8
v1.23.9
v1.24.1
v1.24.3
v1.24.5
v1.24.6
v1.25.0
v1.25.1
v1.25.2
v1.26.0
v1.26.1
v1.26.10
v1.26.11
v1.26.13
v1.26.2
v1.26.3
v1.26.4
v1.26.5
v1.26.6
v1.26.7
v1.26.8
v1.26.9
v1.27.1
v1.27.10
v1.27.14
v1.27.15
v1.27.4
v1.27.6
v1.27.7
v1.27.8
v1.27.9
v1.28.0
v1.28.1
v1.28.10
v1.28.11
v1.28.13
v1.28.2
v1.28.3
v1.28.4
v1.28.6
v1.28.7
v1.28.8
v1.28.9
v1.29.1
v1.29.3
v1.29.4
v1.29.5
v1.29.7
v1.30.0
v1.30.1
v1.30.2
v1.30.3
v1.30.4
v1.30.5
v1.30.6
v1.30.7
v1.31.10
v1.31.12
v1.31.12-dev
v1.31.12-dev1
v1.31.12-dev3
v1.31.13
v1.31.14
v1.31.15
v1.31.16
v1.31.17
v1.31.2
v1.31.3
v1.31.4
v1.31.5
v1.31.6
v1.31.7
v1.31.8
v1.31.9
v1.32.1
v1.32.3
v1.32.33-stable
v1.32.33.dev1
v1.32.4
v1.32.7
v1.32.7.dev1
v1.32.7.dev3
v1.32.7.dev5
v1.32.9
v1.33.0
v1.33.1
v1.33.2
v1.33.3
v1.33.4
v1.33.7
v1.33.8
v1.33.9
v1.34.0
v1.34.1
v1.34.10
v1.34.10.dev1
v1.34.12
v1.34.13
v1.34.14
v1.34.16
v1.34.17
v1.34.18
v1.34.19
v1.34.20
v1.34.21
v1.34.21-stable
v1.34.22
v1.34.22-stable
v1.34.22.dev15-stable
v1.34.23-stable
v1.34.25
v1.34.26
v1.34.27
v1.34.28
v1.34.28.dev12
v1.34.29
v1.34.3
v1.34.33
v1.34.34
v1.34.34.dev1
v1.34.35
v1.34.36
v1.34.36.dev2
v1.34.37
v1.34.37.dev1
v1.34.38
v1.34.39
v1.34.4
v1.34.4.dev1
v1.34.4.dev2
v1.34.40
v1.34.41
v1.34.42
v1.34.5
v1.34.6
v1.34.8
v1.34.8.dev1
v1.35.0
v1.35.1
v1.35.1.dev1
v1.35.1.dev2
v1.35.10
v1.35.11
v1.35.12
v1.35.13
v1.35.14
v1.35.15
v1.35.15-stable
v1.35.16
v1.35.17
v1.35.18
v1.35.19
v1.35.2
v1.35.2.dev4
v1.35.20
v1.35.20.dev2
v1.35.21
v1.35.21-stable
v1.35.23
v1.35.24
v1.35.24.dev1
v1.35.25
v1.35.26
v1.35.26.dev1
v1.35.28
v1.35.28.dev1
v1.35.29
v1.35.3
v1.35.30
v1.35.31
v1.35.32
v1.35.32.dev1
v1.35.33
v1.35.33.dev1
v1.35.33.dev2
v1.35.33.dev3
v1.35.34
v1.35.35
v1.35.35.dev1
v1.35.36
v1.35.36-dev2
v1.35.37
v1.35.38
v1.35.38-stable
v1.35.4
v1.35.5
v1.35.6
v1.35.7
v1.35.8
v1.35.8.dev1
v1.36.0
v1.36.1
v1.36.2
v1.36.2-stable
v1.36.3
v1.36.4
v1.36.4-stable
v1.37.0
v1.37.0.dev2_completion_cost
v1.37.0.dev_version_headers
v1.37.10
v1.37.11
v1.37.12
v1.37.12-stable
v1.37.12.dev1
v1.37.13
v1.37.13-stable
v1.37.14
v1.37.16
v1.37.16-stable
v1.37.17
v1.37.19
v1.37.19-stable
v1.37.2
v1.37.20
v1.37.20.dev1
v1.37.3
v1.37.3-stable
v1.37.5
v1.37.5-stable
v1.37.6
v1.37.7
v1.37.7-stable
v1.37.9
v1.37.9-stable
v1.38.0
v1.38.0-stable
v1.38.1
v1.38.10
v1.38.11
v1.38.12
v1.38.2
v1.38.3
v1.38.4
v1.38.4-stable
v1.38.5
v1.38.7
v1.38.7-stable
v1.38.8
v1.38.8-stable
v1.39.2
v1.39.3
v1.39.4
v1.39.5
v1.39.5-stable
v1.39.6
v1.40.0
v1.40.1
v1.40.1.dev2
v1.40.1.dev4
v1.40.10
v1.40.11
v1.40.12
v1.40.13
v1.40.13.dev1
v1.40.14
v1.40.14.dev1
v1.40.15
v1.40.16
v1.40.17
v1.40.19
v1.40.2
v1.40.2-stable
v1.40.20
v1.40.21
v1.40.22
v1.40.24
v1.40.25
v1.40.26
v1.40.27
v1.40.28
v1.40.29
v1.40.3
v1.40.3-stable
v1.40.3.dev4
v1.40.31
v1.40.4
v1.40.5
v1.40.6
v1.40.7
v1.40.7.dev1
v1.40.8
v1.40.8-stable
v1.40.9
v1.40.9-stable
v1.41.0
v1.41.0-stable
v1.41.1
v1.41.11
v1.41.11.dev1
v1.41.12
v1.41.13
v1.41.14
v1.41.14.dev10
v1.41.14.dev8
v1.41.15
v1.41.17
v1.41.18
v1.41.19
v1.41.2
v1.41.2-stable
v1.41.20
v1.41.21
v1.41.22
v1.41.22.dev4
v1.41.23
v1.41.23-stable
v1.41.24
v1.41.24.dev1
v1.41.25
v1.41.26
v1.41.26.dev1
v1.41.27
v1.41.28
v1.41.3
v1.41.3.dev2
v1.41.3.dev3
v1.41.4
v1.41.4.dev1
v1.41.5
v1.41.5.dev1
v1.41.6
v1.41.6.dev1
v1.41.7
v1.41.8
v1.41.8.dev1
v1.41.8.dev2
v1.42.0
v1.42.0-stable
v1.42.1
v1.42.10
v1.42.10-stable
v1.42.11
v1.42.12
v1.42.2
v1.42.2-stable
v1.42.3
v1.42.3-stable
v1.42.4
v1.42.4-stable
v1.42.5
v1.42.5-dev1
v1.42.5-dev2
v1.42.5-stable
v1.42.6
v1.42.7
v1.42.7-stable
v1.42.8
v1.42.9
v1.42.9-stable
v1.42.9-stable-fix
v1.42.9.dev1
v1.43.0
v1.43.0.dev1
v1.43.1
v1.43.1-dev1
v1.43.10
v1.43.10-stable
v1.43.12
v1.43.13
v1.43.13-stable
v1.43.13.dev1
v1.43.15
v1.43.15-stable
v1.43.16
v1.43.16-stable
v1.43.17
v1.43.18
v1.43.18-stable
v1.43.19
v1.43.19-stable
v1.43.19.dev1
v1.43.19.dev2
v1.43.2
v1.43.3
v1.43.3-dev1
v1.43.4
v1.43.4.dev5
v1.43.5
v1.43.5-stable
v1.43.6
v1.43.6-stable
v1.43.6.dev1
v1.43.7
v1.43.7-stable
v1.43.9
v1.43.9.dev1
v1.43.9.dev2
v1.43.9.dev3
v1.43.9.dev4
v1.44.1
v1.44.10
v1.44.10-stable
v1.44.11
v1.44.11-stable
v1.44.12
v1.44.12-stable
v1.44.13
v1.44.13-stable
v1.44.14
v1.44.14-stable
v1.44.15
v1.44.15-stable
v1.44.2
v1.44.3
v1.44.4
v1.44.4.dev2
v1.44.5
v1.44.6
v1.44.6-stable
v1.44.7
v1.44.8
v1.44.8-dev1
v1.44.9
v1.7.1
v1.7.11