We use cookies to improve your experience on our site.
AVID-2026-R1325
Description
Ray Log File Local File Include (CVE-2023-6021)
Details
LFI in Ray’s log API endpoint allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers' response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
Reason for inclusion in AVID: The CVE-2023-6021 issue is a remote Local File Inclusion in Ray’s log API, allowing an attacker to read files on the server without authentication. Ray is a core framework used to build and run AI workloads (distributed execution, orchestration) and is widely used in general-purpose AI pipelines. This is a software vulnerability in a dependency/runtime used to build/deploy AI systems, with explicit CVE metadata, CWE-29, CVSS details, and a known fix in version 2.8.1+, as supported by references. Therefore it is AI-related, GPAI supply-chain relevant, and a security vulnerability with sufficient evidence.
References
Affected or Relevant Artifacts
- Developer: ray-project
- Deployer: ray-project
- Artifact Details:
| Type | Name |
|---|---|
| System | ray-project/ray |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| Base Score | 7.5 |
| Base Severity | 🔴 High |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | NONE |
| Availability Impact | NONE |
CWE
| ID | Description |
|---|---|
| CWE-29 | CWE-29 Path Traversal: ‘..\filename’ |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2023-11-16
- Version: 0.3.3
- AVID Entry