CVE-2024-4889 Information

Description

A code injection vulnerability exists in the berriai/litellm application version 1.34.6 due to the use of unvalidated input in the eval function within the secret management system. This vulnerability requires a valid Google KMS configuration file to be exploitable. Specifically by setting the UI_LOGO_PATH variable to a remote server address in the get_image function an attacker can write a malicious Google KMS configuration file to the cached_logo.jpg file. This file can then be used to execute arbitrary code by assigning malicious code to the SAVE_CONFIG_TO_DB environment variable leading to full system control. The vulnerability is contingent upon the use of the Google KMS feature.

Reference

https://huntr.com/bounties/be3fda72-a65b-4993-9a0e-7e0f05db51f8