Skip to content

Commit 47687c9

Browse files
advisory-database[bot]advisory-database[bot]
authored
Merge pull request #6219 from github/JLLeitschuh-GHSA-6wgj-66m2-xxp2 
2 parents 7a2027b + df2ea7c commit 47687c9

File tree

1 file changed

+34
-3
lines changed

1 file changed

+34
-3
lines changed

advisories/unreviewed/2023/11/GHSA-6wgj-66m2-xxp2/GHSA-6wgj-66m2-xxp2.json

Lines changed: 34 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,37 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-6wgj-66m2-xxp2",
4-
"modified": "2024-10-28T18:31:38Z",
4+
"modified": "2024-10-28T18:32:44Z",
55
"published": "2023-11-28T09:30:26Z",
66
"aliases": [
77
"CVE-2023-48022"
88
],
9-
"details": "Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment",
9+
"summary": "Arbitrary code execution in ray via jobs submission API",
10+
"details": "Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API.\n\nNOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment",
1011
"severity": [
1112
{
1213
"type": "CVSS_V3",
1314
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
1415
}
1516
],
16-
"affected": [],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "ray"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
}
30+
]
31+
}
32+
]
33+
}
34+
],
1735
"references": [
1836
{
1937
"type": "ADVISORY",
@@ -31,13 +49,26 @@
3149
"type": "WEB",
3250
"url": "https://docs.ray.io/en/latest/ray-security/index.html"
3351
},
52+
{
53+
"type": "PACKAGE",
54+
"url": "https://github.com/ray-project/ray"
55+
},
56+
{
57+
"type": "WEB",
58+
"url": "https://www.oligo.security/blog/shadowray-attack-ai-workloads-actively-exploited-in-the-wild"
59+
},
3460
{
3561
"type": "WEB",
3662
"url": "https://www.vicarius.io/vsociety/posts/shadowray-cve-2023-48022-exploit"
63+
},
64+
{
65+
"type": "WEB",
66+
"url": "https://www.vulncheck.com/blog/initial-access-intelligence-august-2024"
3767
}
3868
],
3969
"database_specific": {
4070
"cwe_ids": [
71+
"CWE-829",
4172
"CWE-918"
4273
],
4374
"severity": "CRITICAL",

0 commit comments

Comments
 (0)