CRITICAL 9.8

GHSA-h3xg-wv58-5p43

Ray OS Command Injection vulnerability

Details

A command injection exists in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / ray

Introduced in: 0 Fixed in: 2.8.1

Fix pip install --upgrade 'ray>=2.8.1'

References

https://nvd.nist.gov/vuln/detail/CVE-2023-6019 [ADVISORY]
https://github.com/ray-project/ray [WEB]
https://github.com/ray-project/ray/releases/tag/ray-2.8.1 [WEB]
https://huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe [WEB]
https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023 [WEB]