Описание
Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment
A flaw was found in ray. The job submission API allows a remote attacker to execute arbitrary code due to insufficient input validation. An unauthenticated attacker can trigger this vulnerability by sending a malicious job submission request. Successful exploitation results in arbitrary code execution on the affected Ray cluster.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat AI Inference Server | rhaiis/vllm-cuda-rhel9 | Not affected | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-codeflare-operator-rhel8 | Not affected | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-codeflare-operator-rhel9 | Not affected | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-dashboard-rhel8 | Not affected | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-data-science-pipelines-argo-argoexec-rhel8 | Not affected | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8 | Not affected | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-data-science-pipelines-operator-controller-rhel8 | Not affected | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-data-science-pipelines-operator-controller-rhel9 | Not affected | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-kf-notebook-controller-rhel8 | Not affected | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-kf-notebook-controller-rhel9 | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
Связанные уязвимости
Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment. (Also, within that environment, customers at version 2.52.0 and later can choose to use token authentication.)
Ray has arbitrary code execution via jobs submission API
Уязвимость реализации прикладного программного интерфейса Client фреймворка для масштабирования приложений AI и Python Ray, позволяющая нарушителю выполнить произвольные команды
EPSS