SCA: security update for litellm (GHSA-h6m6-jj8v-94jj)

high Tenable Self-Hosted Container Security Plugin ID 415527

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- An SQL Injection vulnerability exists in the berriai/litellm repository, specifically within the
`/global/spend/logs` endpoint. The vulnerability arises due to improper neutralization of special elements
used in an SQL command. The affected code constructs an SQL query by concatenating an unvalidated
`api_key` parameter directly into the query, making it susceptible to SQL Injection if the `api_key`
contains malicious data. This issue affects the latest version of the repository. Successful exploitation
of this vulnerability could lead to unauthorized access, data manipulation, exposure of confidential
information, and denial of service (DoS). (CVE-2024-5225)

See Also

https://github.com/advisories/GHSA-h6m6-jj8v-94jj

Plugin Details

Severity: High

ID: 415527

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.58

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 8.3

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:M/C:C/I:C/A:C

CVSS Score Source: CVE-2024-5225

CVSS v3

Risk Factor: High

Base Score: 7.2

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/6/2024

Vulnerability Publication Date: 6/6/2024

Reference Information

CVE: CVE-2024-5225

cwe: CWE-89