A command injection existed in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication. The issue is fixed in version 2.8.1+. Ray maintainers' response can be found here: https://www.anyscale.com/blog/update-o...
9.8CVSS
8.6AI Score
0.919EPSS
LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication.
7.5CVSS
8.3AI Score
0.405EPSS
LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers' response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023...
7.5CVSS
8AI Score
0.919EPSS