CVE-2023-48022
- Source
- https://cve.org/CVERecord?id=CVE-2023-48022
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-48022.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-48022
- Aliases
- Downstream
- Related
- Published
- 2023-11-28T08:15:06.910Z
- Modified
- 2026-04-02T09:39:19.566411Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment. (Also, within that environment, customers at version 2.52.0 and later can choose to use token authentication.)
- References
-
- https://atlas.mitre.org/studies/AML.CS0023
- https://docs.ray.io/en/latest/ray-security/token-auth.html
- https://www.vicarius.io/vsociety/posts/shadowray-cve-2023-48022-exploit
- https://www.vicarius.io/vsociety/posts/the-story-of-shadowray-cve-2023-48022
- https://docs.ray.io/en/latest/ray-security/index.html
- https://bishopfox.com/blog/ray-versions-2-6-3-2-8-0
Affected packages
Git / github.com/ray-project/ray
Affected ranges
- Type
- GIT
- Repo
- https://github.com/ray-project/ray
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Database specific
{ "versions": [ { "introduced": "0" }, { "last_affected": "2.6.3" }, { "introduced": "0" }, { "last_affected": "2.8.0" } ] }
Affected versions
0.*
0.7.5
1.*
1.12.0
1.13.1
ray-0.*
ray-0.1.0
ray-0.1.1
ray-0.1.2
ray-0.2.0
ray-0.2.1
ray-0.2.2
ray-0.3.0
ray-0.3.1
ray-0.4.0
ray-0.5.0
ray-0.5.1
ray-0.5.2
ray-0.5.3
ray-0.6.0
ray-0.6.1
ray-0.6.2
ray-0.6.3
ray-0.6.4
ray-0.6.5
ray-0.6.6
ray-0.7.0
ray-0.7.1
ray-0.7.2
ray-0.7.3
ray-0.7.4
ray-0.7.5
ray-0.7.6
ray-0.7.7
ray-0.8.0
ray-0.8.1
ray-0.8.2
ray-0.8.3
ray-0.8.4
ray-0.8.5
ray-0.8.6
ray-0.8.7
ray-1.*
ray-1.0.0
ray-1.0.1
ray-1.0.1.post1
ray-1.1.0
ray-1.10.0
ray-1.11.0
ray-1.11.1
ray-1.12.0
ray-1.12.1
ray-1.13.0
ray-1.13.1
ray-1.2.0
ray-1.3.0
ray-1.4.0
ray-1.4.1
ray-1.5.0
ray-1.5.1
ray-1.5.2
ray-1.6.0
ray-1.7.0
ray-1.7.1
ray-1.8.0
ray-1.9.0
ray-1.9.1
ray-1.9.2
ray-2.*
ray-2.0.0
ray-2.0.1
ray-2.1.0
ray-2.10.0
ray-2.11.0
ray-2.12.0
ray-2.2.0
ray-2.20.0
ray-2.21.0
ray-2.22.0
ray-2.23.0
ray-2.24.0
ray-2.3.0
ray-2.3.1
ray-2.30.0
ray-2.31.0
ray-2.32.0
ray-2.33.0
ray-2.34.0
ray-2.35.0
ray-2.36.0
ray-2.36.1
ray-2.37.0
ray-2.38.0
ray-2.39.0
ray-2.4.0
ray-2.40.0
ray-2.41.0
ray-2.42.0
ray-2.42.1
ray-2.43.0
ray-2.44.0
ray-2.44.1
ray-2.45.0
ray-2.46.0
ray-2.47.0
ray-2.47.1
ray-2.48.0
ray-2.49.0
ray-2.49.1
ray-2.49.2
ray-2.5.0
ray-2.5.1
ray-2.50.0
ray-2.50.1
ray-2.51.0
ray-2.51.1
ray-2.51.2
ray-2.52.0
ray-2.52.1
ray-2.53.0
ray-2.54.0
ray-2.54.1
ray-2.6.0
ray-2.6.1
ray-2.6.2
ray-2.6.3
ray-2.7.0
ray-2.7.1
ray-2.8.0
ray-2.9.0
ray-2.9.1
ray-2.9.2
ray-2.9.3