QID 731304
Date Published: 2024-03-29
QID 731304: Anyscale Ray Multiple Security Vulnerabilities
Ray is a unified way to scale Python and AI applications from a laptop to a cluster.
Anyscale Ray contains the following vulnerabilities:
- CVE-2023-6019: A command injection existed in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication.
- CVE-2023-6020: LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication.
- CVE-2023-6021: LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication.
- CVE-2023-48022: Anyscale Ray allows a remote attacker to execute arbitrary code via the job submission API.
- CVE-2023-48023: Anyscale Rayallows /log_proxy SSRF.
Anyscale Ray 2.6.3 and 2.8.0.
QID Detection Logic:
This unauthenticated QID detects vulnerable installations by launching known exploit attempts for vulnerable versions.
Successful exploitation allows an unauthenticated, remote attacker to conduct Server-Side Request Forgery (SSRF), access sensitive files or execute arbitrary code on the targeted system.
Solution
Customers are advised to refer to the Anyscale Blog for information pertaining to these vulnerabilities. Anyscale Ray 2.8.1 and later versions remediate these vulnerabilities.
Vendor References
CVEs related to QID 731304
Software Advisories
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| Anyscale Ray 2.8.1 and later |
www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023 |