Tasiri
LiteLLM yana ƙunshe da mummunan rauni na allura na SQL a cikin Proxy API maɓallin tabbatarwa na maɓalli [S1]. Wannan aibi yana bawa maharan da ba a tantance su damar ketare binciken tsaro da yuwuwar samun dama ko fitar da bayanai daga tushen bayanan [S1][S3].
Tushen Dalili
An gano batun a matsayin CWE-89 (Injection SQL) [S1]. Yana cikin mabuɗin tabbatarwa na maɓalli na API na ɓangaren Proxy LiteLLM [S2]. Lalacewar ya samo asali ne daga rashin isasshen tsaftar shigarwar da aka yi amfani da ita a cikin tambayoyin bayanai [S1].
Sigar da abin ya shafa
Siffofin LiteLLM 1.81.16 zuwa 1.83.6 wannan raunin [S1] ya shafe su.
Gyaran Kankare
Saukewa: ZXCVFIXVIBESEG10 Sabunta LiteLLM zuwa sigar 1.83.7 ko sama don rage wannan raunin [S1].
Saukewa: ZXCVFIXVIBESEG11
Yadda FixVibe yayi gwajinsa
Saukewa: ZXCVFIXVIBESEG12 FixVibe yanzu ya haɗa da wannan a cikin GitHub repo scans. Bikin yana karanta fayilolin dogaro da ma'ajiyar izini kawai, gami da requirements.txt, pyproject.toml, poetry.lock, da Pipfile.lock. Yana fitar da fitilun LiteLLM ko ƙuntatawa na sigar waɗanda suka dace da kewayon da abin ya shafa >=1.81.16 <1.83.7, sannan ya ba da rahoton fayil ɗin dogaro, lambar layi, ID na shawarwari, kewayon da abin ya shafa, da tsayayyen sigar.
Saukewa: ZXCVFIXVIBESEG13 Wannan a tsaye ne, duba-karanta kawai. Ba ya aiwatar da lambar abokin ciniki kuma baya aika abubuwan biyan kuɗi.