Replies: 3 comments 18 replies
-
|
Hi @Fewword could you please share the issues? We received a huntr email, but when going to the link they shared, we were unable to create additional keys - as our db auth checks this. Open to feedback though. Can you show me how you might create additional keys with the default user flow? Context: |
Beta Was this translation helpful? Give feedback.
-
|
converting to discussion for now |
Beta Was this translation helpful? Give feedback.
-
|
hi @krrishdholakia thanks for the quick response! Just to clarify, have you registered for a Huntr account using your GitHub account? This should give you the access needed to view the details of the security vulnerability I've reported. If there's any confusion or additional steps needed, I'm here to help guide you through the process. Looking forward to your feedback and resolving the vulnerabilities together! |
Beta Was this translation helpful? Give feedback.
-
|
@Fewword can you explain what is the security vulnerability here ? If you're not authenticated you cannot call |
Beta Was this translation helpful? Give feedback.
-
|
@ishaan-jaff I ran the litellm docker image locally and then used the default administrator account to create a user named user1. After creation, the api-key provided for user1 was sk-EDPWeidMYhR87NOwUwoR6g. Then, I used the administrator account to create a team called team1, with the team ID being 45e3e396-ee08-4a61-a88e-16b3ce7e0849. However, at that time, team1's members included only the default administrator, and user1 was not a member of team1. When I called the API using the key sk-EDPWeidMYhR87NOwUwoR6g for authentication, the system did not check user1's roles and permissions, lacking authorization verification, which resulted in the deletion of team1. |
Beta Was this translation helpful? Give feedback.
-
|
okay understood - Tracking that as an issue here and we will fix it: #2955 @Fewword We would appreciate if you filed these as issues on the litellm Github Repo or on discord, it allows us to address them much faster |
Beta Was this translation helpful? Give feedback.
-
|
@ishaan-jaff No problem, glad to help! Thanks for tracking this as an issue. I'd also appreciate if you could re-evaluate the vulnerability reports I've submitted to ensure they are addressed properly. Looking forward to the fixes and happy to contribute further! |
Beta Was this translation helpful? Give feedback.
-
|
hi @ishaan-jaff, could you update my reports on huntr and validate these vulnerabilities? |
Beta Was this translation helpful? Give feedback.
-
What happened?
Status - Resolved ✅
Few security vulnerability has been disclosed to huntr for this repo.
Fix those bug ASAP
report link -->
https://huntr.com/bounties/70897f59-a966-4d93-b71e-745e3da91970
report are currently private and only repo maintainer can see the report details.
If you are repo maintainer then there is 2 way to view the report details
by signup
by secret magick link that has been sent to your mail by huntr.com.
Relevant log output
No response
Twitter / LinkedIn details
No response
Beta Was this translation helpful? Give feedback.
All reactions