Strix
26.1K

CVE-2024-4889

HIGHCVSS 7.2/10EPSS 0.86%

Last modified

CVE-2024-4889 is a high-severity vulnerability rated 7.2/10 on the CVSS scale. A code injection vulnerability exists in the berriai/litellm application, version 1.34.6, due to the use of unvalidated input in the eval function within the secret management system. This vulnerability requires a valid Google KMS configuration file to be exploitable. EPSS estimates a 0.86% chance of exploitation in the next 30 days.

Description

A code injection vulnerability exists in the berriai/litellm application, version 1.34.6, due to the use of unvalidated input in the eval function within the secret management system. This vulnerability requires a valid Google KMS configuration file to be exploitable. Specifically, by setting the `UI_LOGO_PATH` variable to a remote server address in the `get_image` function, an attacker can write a malicious Google KMS configuration file to the `cached_logo.jpg` file. This file can then be used to execute arbitrary code by assigning malicious code to the `SAVE_CONFIG_TO_DB` environment variable, leading to full system control. The vulnerability is contingent upon the use of the Google KMS feature.

Metrics

CVSS 3.1
7.2/10

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
0.86%

53.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
LitellmLitellm< 1.44.16

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2024-4889?
A code injection vulnerability exists in the berriai/litellm application, version 1.34.6, due to the use of unvalidated input in the eval function within the secret management system. This vulnerability requires a valid Google KMS configuration file to be exploitable. Specifically, by setting the `UI_LOGO_PATH` variable to a remote server address in the `get_image` function, an attacker can write a malicious Google KMS configuration file to the `cached_logo.jpg` file. This file can then be used to execute arbitrary code by assigning malicious code to the `SAVE_CONFIG_TO_DB` environment variable, leading to full system control. The vulnerability is contingent upon the use of the Google KMS feature.
How severe is CVE-2024-4889?
CVE-2024-4889 has a CVSS score of 7.2/10 (HIGH severity). The EPSS model estimates a 0.86% probability of exploitation in the next 30 days.
How do I fix CVE-2024-4889?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-4889?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST