{"id":"CVE-2024-4890","details":"A blind SQL injection vulnerability exists in the berriai/litellm application, specifically within the '/team/update' process. The vulnerability arises due to the improper handling of the 'user_id' parameter in the raw SQL query used for deleting users. An attacker can exploit this vulnerability by injecting malicious SQL commands through the 'user_id' parameter, leading to potential unauthorized access to sensitive information such as API keys, user information, and tokens stored in the database. The affected version is 1.27.14.","aliases":["GHSA-8j42-pcfm-3467"],"modified":"2026-04-10T05:59:54.882307Z","published":"2024-06-06T19:16:03.630Z","references":[{"type":"EVIDENCE","url":"https://huntr.com/bounties/a4f6d357-5b44-4e00-9cac-f1cc351211d2"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/berriai/litellm","events":[{"introduced":"0"},{"last_affected":"0591b4b846513754370896c06943092a3c63ecc9"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.27.14"}]}}],"versions":["1.16.12","1.16.13","1.16.14","v0.1.387","v0.1.492","v0.1.574","v0.1.738","v0.11.1","v0.8.4","v1.1.0","v1.10.4","v1.11.1","v1.15.0","v1.15.5","v1.16-test2","v1.16-test3","v1.16-test4","v1.16.13","v1.16.15","v1.16.16","v1.16.17","v1.16.17-test","v1.16.17-test2","v1.16.17-test3","v1.16.18","v1.16.19","v1.16.20","v1.16.20.dev1","v1.16.20.dev3","v1.16.21","v1.16.3","v1.16.6","v1.17.0","v1.17.1","v1.17.10","v1.17.12","v1.17.13","v1.17.14","v1.17.15","v1.17.16","v1.17.17","v1.17.18","v1.17.2","v1.17.3","v1.17.4","v1.17.5","v1.17.6","v1.17.7","v1.17.8","v1.17.9","v1.18.0","v1.18.1","v1.18.10","v1.18.11","v1.18.12","v1.18.13","v1.18.2","v1.18.4","v1.18.5","v1.18.6","v1.18.7","v1.18.8","v1.18.9","v1.19.0","v1.19.2","v1.19.3","v1.19.4","v1.19.6","v1.20.0","v1.20.1","v1.20.2","v1.20.3","v1.20.5","v1.20.6","v1.20.7","v1.20.8","v1.20.9","v1.21.0","v1.21.1","v1.21.4","v1.21.5","v1.21.6","v1.21.7","v1.22.10","v1.22.11","v1.22.2","v1.22.3","v1.22.5","v1.22.8","v1.22.9","v1.23.0","v1.23.1","v1.23.10","v1.23.12","v1.23.14","v1.23.15","v1.23.16","v1.23.2","v1.23.3","v1.23.4","v1.23.5","v1.23.7","v1.23.8","v1.23.9","v1.24.1","v1.24.3","v1.24.5","v1.24.6","v1.25.0","v1.25.1","v1.25.2","v1.26.0","v1.26.1","v1.26.10","v1.26.11","v1.26.13","v1.26.2","v1.26.3","v1.26.4","v1.26.5","v1.26.6","v1.26.7","v1.26.8","v1.26.9","v1.27.1","v1.27.10","v1.27.14","v1.27.4","v1.27.6","v1.27.7","v1.27.8","v1.27.9","v1.7.1","v1.7.11"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-4890.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"}]}