CVE-2024-2952 - OpenCVE

BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the `/completions` endpoint. The vulnerability arises from the `hf_chat_template` method processing the `chat_template` parameter from the `tokenizer_config.json` file through the Jinja template engine without proper sanitization. Attackers can exploit this by crafting malicious `tokenizer_config.json` files that execute arbitrary code on the server.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v2

Vendors & Products
CPE Configurations

No data.

No data.

References

Link	Resource
https://github.com/berriai/litellm/commit/8a1cdc901708b07b7ff4eca20f9cb0f1f0e8d0b3
https://huntr.com/bounties/a9e0a164-6de0-43a4-a640-0cbfb54220a4

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-04-10T17:07:52.935Z

Updated: 2024-07-03T16:51:12.428Z

Reserved: 2024-03-26T18:00:46.844Z

Link: CVE-2024-2952

JSON object: View

NVD Information

Status : Awaiting Analysis

Published: 2024-04-10T17:15:54.823

Modified: 2024-04-15T18:15:11.027

Link: CVE-2024-2952

JSON object: View

Redhat Information

No data.

CWE

CWE-76

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-2952", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2024-03-26T18:00:46.844Z", "datePublished": "2024-04-10T17:07:52.935Z", "dateUpdated": "2024-07-03T16:51:12.428Z"}, "containers": {"cna": {"title": "Server-Side Template Injection in BerriAI/litellm", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-04-16T11:10:21.535Z"}, "descriptions": [{"lang": "en", "value": "BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the `/completions` endpoint. The vulnerability arises from the `hf_chat_template` method processing the `chat_template` parameter from the `tokenizer_config.json` file through the Jinja template engine without proper sanitization. Attackers can exploit this by crafting malicious `tokenizer_config.json` files that execute arbitrary code on the server."}], "affected": [{"vendor": "berriai", "product": "berriai/litellm", "versions": [{"version": "unspecified", "lessThan": "1.34.42", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/a9e0a164-6de0-43a4-a640-0cbfb54220a4"}, {"url": "https://github.com/berriai/litellm/commit/8a1cdc901708b07b7ff4eca20f9cb0f1f0e8d0b3"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-76 Improper Neutralization of Equivalent Special Elements", "cweId": "CWE-76"}]}], "source": {"advisory": "a9e0a164-6de0-43a4-a640-0cbfb54220a4", "discovery": "EXTERNAL"}}, "adp": [{"affected": [{"vendor": "berriai", "product": "litellm", "cpes": ["cpe:2.3:a:berriai:litellm:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.23.2", "status": "affected", "lessThan": "1.34.42", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-03T15:32:17.112100Z", "id": "CVE-2024-2952", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-03T16:51:12.428Z"}}]}}