CVE-2023-6020: Use of GET Request Method With Sensitive Query Strings

November 16, 2023 (updated November 27, 2023)

LFI in Ray’s /static/ directory allows attackers to read any file on the server without authentication.

References

github.com/advisories/GHSA-6cxr-8q3m-jwrr
huntr.com/bounties/83dd8619-6dc3-4c98-8f1b-e620fedcd1f6
nvd.nist.gov/vuln/detail/CVE-2023-6020

Detect and mitigate CVE-2023-6020 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →