CVE-2023-6019: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

November 16, 2023 (updated November 27, 2023)

A command injection exists in Ray’s cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication.

References

github.com/advisories/GHSA-h3xg-wv58-5p43
huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe
nvd.nist.gov/vuln/detail/CVE-2023-6019

Detect and mitigate CVE-2023-6019 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →