SSRF Vulnerability in Anyscale Ray Product Versions
CVE-2023-48023

9.1CRITICAL

Key Information:

Vendor: Anyscale
Status: Ray
Vendor: CVE Published:; 28 November 2023

Badges

🟣 EPSS 89%📰 News Worthy

What is CVE-2023-48023?

The Anyscale Ray versions 2.6.3 and 2.8.0 are susceptible to a Server-Side Request Forgery (SSRF) vulnerability. This flaw allows attackers to manipulate requests made by the server to internal systems, potentially exposing sensitive data or enabling further attacks within the network. Despite the vendor's assertion that Ray is designed for use within a controlled network environment, the vulnerability raises significant security concerns, especially in cases where network configurations may inadvertently expose sensitive endpoints.

News Articles

SC Media

CVE-2023-48023

New critical Ray AI framework vulnerability emerges

Open-source artificial intelligence compute framework Ray has been found to be impacted by a critical vulnerability, tracked as CVE-2023-48023, which could be exploited to facilitate unauthorized node access, according to SecurityWeek.

References

https://bishopfox.com/blog/ray-versions-2-6-3-2-8-0

https://docs.ray.io/en/latest/ray-security/index.html

EPSS Score

89% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

📰
First article discovered by SC Media
Nov 29, 2023
Vulnerability published
Nov 28, 2023
Vulnerability Reserved
Nov 13, 2023

JSON