CVE-2023-6019

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Ray versions (affected versions not specified)

Description The issue exists due to the lack of neutralization of special elements used in operating system commands. This allows a remote attacker to execute arbitrary commands using specially crafted data. A command injection exists in the cpu profile URL parameter, enabling attackers to execute operating system commands on the system running the Ray dashboard remotely without authentication.

Recommendations For all affected versions, consider disabling access to the cpu profile URL parameter as a temporary workaround until a patch is available. Restrict access to the Ray dashboard to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Missing Authorization

OS Command Injection

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862CWE-78CWE-22CWE-598CWE-29

Related Identifiers

BDU:2024-02554

BDU:2024-02555

BDU:2024-02556

CVE-2023-6019

GHSA-3PWW-QVR8-6MHP

GHSA-6CXR-8Q3M-JWRR

GHSA-H3XG-WV58-5P43

Affected Products

Ray

CVE-2023-6019

Weakness Enumeration

Related Identifiers

Affected Products

References · 31