GHSA-h3xg-wv58-5p43

Suggest an improvement
Source
https://github.com/advisories/GHSA-h3xg-wv58-5p43
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-h3xg-wv58-5p43/GHSA-h3xg-wv58-5p43.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-h3xg-wv58-5p43
Aliases
  • CVE-2023-6019
Published
2023-11-16T18:30:31Z
Modified
2024-02-17T05:36:38.477132Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Ray OS Command Injection vulnerability
Details

A command injection exists in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication.

References

Affected packages

PyPI / ray

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
2.6.3

Affected versions

0.*

0.1.1
0.1.2
0.2.0
0.2.1
0.2.2
0.3.0
0.3.1
0.4.0
0.5.0
0.5.2
0.5.3
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.7.7
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7

1.*

1.0.0rc0
1.0.0rc1
1.0.0rc2
1.0.0
1.0.1
1.0.1.post1
1.1.0
1.2.0
1.3.0
1.4.0rc1
1.4.0rc2
1.4.0
1.4.1
1.5.0
1.5.1
1.5.2
1.6.0
1.7.0rc0
1.7.0
1.7.1
1.8.0
1.9.0rc1
1.9.0rc2
1.9.0
1.9.1rc0
1.9.1
1.9.2
1.10.0rc0
1.10.0
1.11.0rc0
1.11.0rc1
1.11.0
1.11.1
1.12.0rc1
1.12.0
1.12.1
1.13.0

2.*

2.0.0rc0
2.0.0rc1
2.0.0
2.0.1
2.1.0
2.2.0
2.3.0rc0
2.3.0
2.3.1
2.4.0
2.5.0
2.5.1
2.6.0
2.6.1
2.6.2
2.6.3