search

github / advisory-database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Creative Commons Attribution 4.0 International
1.67k stars 304 forks source link

[GHSA-qqcv-vg9f-5rr3] litellm vulnerable to improper access control in team management #4565

Closed krrishdholakia closed 1 week ago

krrishdholakia commented 1 week ago

Updates

Comments This is not a current vulnerability. It's already been fixed. Incorrect report.

Screenshot 2024-06-28 at 2 13 12 PM
shelbyc commented 1 week ago

Hi @krrishdholakia, thank you for letting us know that GHSA-qqcv-vg9f-5rr3 is fixed. I would like to include a fix commit for readers to refer to. Do you know which commit in 1.40.28 is the fix commit?

krrishdholakia commented 1 week ago

Hey @shelbyc it was a lot earlier than v1.40.28. If you look at the issue thread on huntr, even they couldn't repro it.

We've had a couple refactors, so it's hard for me to point the fix, but here's the point in code which checks for this - https://github.com/BerriAI/litellm/blob/224148d6133ee50801cb129cbd21ccc213992e25/litellm/proxy/auth/user_api_key_auth.py#L1020

advisory-database[bot] commented 1 week ago

Hi @krrishdholakia! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

shelbyc commented 1 week ago

Cool, thanks for the info! It looks like https://github.com/BerriAI/litellm/blob/224148d6133ee50801cb129cbd21ccc213992e25/litellm/proxy/auth/user_api_key_auth.py#L1020 was added in 1.40.15 so I set 1.40.15 as the patched version.

krrishdholakia commented 1 week ago

Thanks @shelbyc