Lucene search

K
githubGitHub Advisory DatabaseGHSA-H3XG-WV58-5P43
HistoryNov 16, 2023 - 6:30 p.m.

Ray OS Command Injection vulnerability

2023-11-1618:30:31
CWE-78
GitHub Advisory Database
github.com
8
ray
command injection
vulnerability
remote execution
security
cpu profile

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.7 High

AI Score

Confidence

High

0.804 High

EPSS

Percentile

98.3%

A command injection exists in Ray’s cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication.

Affected configurations

Vulners
Node
github_advisory_databaserayRange≀2.6.3
CPENameOperatorVersion
rayle2.6.3

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.7 High

AI Score

Confidence

High

0.804 High

EPSS

Percentile

98.3%