We use cookies to improve your experience on our site.
AVID-2026-R1292
Description
Vulnerability CVE-2023-48023
Details
Anyscale Ray 2.6.3 and 2.8.0 allows /log_proxy SSRF. NOTE: the vendor’s position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment
Reason for inclusion in AVID: CVE-2023-48023 identifies a SSRF vulnerability in Anyscale Ray (versions 2.6.3 and 2.8.0). Ray is a core framework used to build, train, deploy, and serve AI workloads, so a vulnerability in this software is directly a concern for AI pipelines and general-purpose AI systems. The issue affects a software component integral to AI stacks, representing a vulnerability in the software supply chain for AI systems. Evidence includes the CVE entry and related Ray/security documentation.
References
- NVD entry
- https://bishopfox.com/blog/ray-versions-2-6-3-2-8-0
- https://docs.ray.io/en/latest/ray-security/index.html
Affected or Relevant Artifacts
- Developer: n/a
- Deployer: n/a
- Artifact Details:
| Type | Name |
|---|---|
| System | n/a |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2023-11-28
- Version: 0.3.3
- AVID Entry