A command injection existed in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication. The issue is fixed in version 2.8.1+. Ray maintainers' response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
References
Link | Resource |
---|---|
https://huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe | Exploit |
Configurations
History
06 Dec 2023, 21:15
Type | Values Removed | Values Added |
---|---|---|
Summary | A command injection existed in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication. The issue is fixed in version 2.8.1+. Ray maintainers' response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023 |
06 Dec 2023, 20:15
Type | Values Removed | Values Added |
---|---|---|
Summary | A command injection existed in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication. The issue is fixed in version 2.8.1+. Ray maintainers' response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-... https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023 |
29 Nov 2023, 18:15
Type | Values Removed | Values Added |
---|---|---|
Summary | A command injection exists in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication. | |
CWE | CWE-78 |
24 Nov 2023, 23:05
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:ray_project:ray:-:*:*:*:*:*:*:* | |
First Time |
Ray Project
Ray Project ray |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
References | () https://huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe - Exploit |
16 Nov 2023, 17:30
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-11-16 17:15
Updated : 2024-02-28 20:54
NVD link : CVE-2023-6019
Mitre link : CVE-2023-6019
CVE.ORG link : CVE-2023-6019
JSON object : View
Products Affected
ray_project
- ray
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')