CVE-2023-6019: Ray OS Command Injection vulnerability
(updated )
A command injection exists in Ray’s cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication.
References
- github.com/advisories/GHSA-h3xg-wv58-5p43
- github.com/ray-project/ray
- github.com/ray-project/ray/releases/tag/ray-2.8.1
- huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe
- nvd.nist.gov/vuln/detail/CVE-2023-6019
- www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
Detect and mitigate CVE-2023-6019 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →