Aggregates CVE and security vulnerability intelligence across all ray_project-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Disclosed issues often relate to vendor risk path handling and vendor risk command injection; exposure may include vendor impact file overwrite in vendor surface production workloads contexts.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2023-6020 | LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication. | [email protected] | 7.5 | 14.65% | 2023-11-16 | 2024-11-21 |
| CVE-2023-6021 | LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers' response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023 | [email protected] | 7.5 | 37.08% | 2023-11-16 | 2024-11-21 |
| CVE-2023-6019 | A command injection existed in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication. The issue is fixed in version 2.8.1+. Ray maintainers' response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023 | [email protected] | 9.8 | 74.63% | 2023-11-16 | 2024-11-21 |