We use cookies to improve your experience on our site.
AVID-2026-R1324
Description
Ray Command Injection in cpu_profile Parameter (CVE-2023-6019)
Details
A command injection existed in Ray’s cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication. The issue is fixed in version 2.8.1+. Ray maintainers' response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
Reason for inclusion in AVID: CVE-2023-6019 describes a critical remote command-injection vulnerability in Ray’s cpu_profile parameter, affecting Ray (a core ML framework) used in AI pipelines. This vulnerability impacts software components (Ray dashboard) commonly used to build/deploy AI systems, making it pertinent to the AI supply chain. The report provides explicit vulnerability details, affected component, CVSS data, and references, enabling confident curation.
References
Affected or Relevant Artifacts
- Developer: ray-project
- Deployer: ray-project
- Artifact Details:
| Type | Name |
|---|---|
| System | ray-project/ray |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Base Score | 9.8 |
| Base Severity | 🔴 Critical |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | 🔴 High |
| Availability Impact | 🔴 High |
CWE
| ID | Description |
|---|---|
| CWE-78 | CWE-78 Improper Neutralization of Special Elements used in an OS Command |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2023-11-16
- Version: 0.3.3
- AVID Entry