CVE-2023-48022

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2023-48022

Severity

9.8

Critical

CVSS V3

Description

Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment. (Also, within that environment, customers at version 2.52.0 and later can choose to use token authentication.)

References

https://images.chainguard.dev/security/CGA-qxp2-f668-938w
https://github.com/advisories/GHSA-6wgj-66m2-xxp2
https://images.chainguard.dev/security/CGA-49f8-3xr9-jgmp
https://images.chainguard.dev/security/CGA-6v3r-ch3m-465f
https://images.chainguard.dev/security/CGA-f4r9-rv46-jqxw
https://images.chainguard.dev/security/CGA-vgr6-vx7g-hww7
https://atlas.mitre.org/studies/AML.CS0023
https://docs.ray.io/en/latest/ray-security/index.html
https://docs.ray.io/en/latest/ray-security/token-auth.html
https://www.vicarius.io/vsociety/posts/shadowray-cve-2023-48022-exploit
https://www.vicarius.io/vsociety/posts/the-story-of-shadowray-cve-2023-48022
https://bishopfox.com/blog/ray-versions-2-6-3-2-8-0

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

The trusted source for open source

Talk to an expert

Privacy

Terms

CVE-2023-48022

Severity

Description

References

Affected packages

The trusted source for open source

Product

Solutions

Customers

Resources

Company