CVE-2023-6021 – ray

Package

Manager: pip
Name: ray
Vulnerable Version: >=0 <2.8.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.86375 pctl0.99369

Details

Ray Path Traversal vulnerability LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023

Metadata

Created: 2023-11-16T18:30:31Z
Modified: 2025-01-09T23:39:59Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-3pww-qvr8-6mhp/GHSA-3pww-qvr8-6mhp.json
CWE IDs: ["CWE-22", "CWE-29"]
Alternative ID: GHSA-3pww-qvr8-6mhp
Finding: F063
Auto approve: 1