CVE-2023-48022
AI Vulnerability ContextAnyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment. (Also, within that environment, customers at version 2.52.0 and later can choose to use token authentication.)
Overview
A source-backed snapshot of this vulnerability.
CISA KEVnoWhether CISA lists this as exploited.
Techniques0AI attack methods connected to this vulnerability.
Case studies1Examples where this vulnerability is mentioned.
Vulnerability status
How serious this vulnerability is and whether it is known to be exploited.
not in CISA KEVCRITICAL
- CVE ID
- CVE-2023-48022
- CVSS v3
- 9.8
Exploit context
What the vulnerability is about.
No description available. The source record only contains identifiers and metadata.
Source evidence
Original public records and references for this page.
Original source
Original source links
Open the public records and source datasets used for this page.
NVD CVE pagehttps://nvd.nist.gov/vuln/detail/CVE-2023-48022CVE API docshttps://nvd.nist.gov/developers/vulnerabilitiesData feedshttps://nvd.nist.gov/vuln/data-feedscve@mitre.orghttps://atlas.mitre.org/studies/AML.CS0023af854a3a-2127-422b-91ae-364da2661108https://bishopfox.com/blog/ray-versions-2-6-3-2-8-0af854a3a-2127-422b-91ae-364da2661108https://docs.ray.io/en/latest/ray-security/index.htmlcve@mitre.orghttps://docs.ray.io/en/latest/ray-security/token-auth.htmlaf854a3a-2127-422b-91ae-364da2661108https://www.vicarius.io/vsociety/posts/shadowray-cve-2023-48022-exploitaf854a3a-2127-422b-91ae-364da2661108https://www.vicarius.io/vsociety/posts/the-story-of-shadowray-cve-2023-48022
