Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2023-6019

Опубликовано: 07 авг. 2025
Источник: redhat
CVSS3: 9.8

Описание

A command injection existed in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication. The issue is fixed in version 2.8.1+. Ray maintainers' response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023

A flaw was found in ray. The cpu_profile URL parameter allows for command injection, enabling a remote, unauthenticated attacker to execute arbitrary operating system commands on the system hosting the Ray dashboard. This exploitation occurs directly through a crafted URL. Successful command execution can lead to significant system compromise.

Отчет

No Red Hat products are shipped with a vulnerable version of Ray.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat AI Inference Serverrhaiis/vllm-cuda-rhel9Not affected
Red Hat OpenShift AI (RHOAI)rhoai/odh-codeflare-operator-rhel8Not affected
Red Hat OpenShift AI (RHOAI)rhoai/odh-codeflare-operator-rhel9Not affected
Red Hat OpenShift AI (RHOAI)rhoai/odh-dashboard-rhel8Not affected
Red Hat OpenShift AI (RHOAI)rhoai/odh-data-science-pipelines-argo-argoexec-rhel8Not affected
Red Hat OpenShift AI (RHOAI)rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8Not affected
Red Hat OpenShift AI (RHOAI)rhoai/odh-data-science-pipelines-operator-controller-rhel8Not affected
Red Hat OpenShift AI (RHOAI)rhoai/odh-data-science-pipelines-operator-controller-rhel9Not affected
Red Hat OpenShift AI (RHOAI)rhoai/odh-kf-notebook-controller-rhel8Not affected
Red Hat OpenShift AI (RHOAI)rhoai/odh-kf-notebook-controller-rhel9Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Critical
Дефект:
CWE-78
https://bugzilla.redhat.com/show_bug.cgi?id=2387120ray: Ray Dashboard Command Injection

9.8 Critical

CVSS3

Связанные уязвимости

nvd логотип

CVE-2023-6019

CVSS3: 9.8
nvd
около 2 лет назад

A command injection existed in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication. The issue is fixed in version 2.8.1+. Ray maintainers' response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023

github логотип

GHSA-h3xg-wv58-5p43

CVSS3: 9.8
github
около 2 лет назад

Ray OS Command Injection vulnerability

fstec логотип

BDU:2024-02555

CVSS3: 9.8
fstec
больше 2 лет назад

Уязвимость компонента dashboard фреймворка для масштабирования приложений AI и Python Ray, позволяющая нарушителю выполнить произвольные команды

9.8 Critical

CVSS3