Anyscale Ray 2.6.3 and 2.8.0 allows a remote malicious user to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
anyscale ray 2.8.0 |
||
anyscale ray 2.6.3 |
Hackers exploit Ray framework flaw to breach servers, hijack resources By Bill Toulas March 26, 2024 02:51 PM 0 A new hacking campaign dubbed "ShadowRay" targets an unpatched vulnerability in Ray, a popular open-source AI framework, to hijack computing power and leak sensitive data from thousands of companies. According to a report by application security firm Oligo, these attacks have been underway since at least September 5, 2023, targeting education, cryptocurrency, biopharma, and other secto...
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Anyscale claims issue is 'long-standing design decision' – as users are raided by intruders
Thousands of companies remain vulnerable to a remote-code-execution bug in Ray, an open-source AI framework used by Amazon, OpenAI, and others, that is being abused by miscreants in the wild to steal sensitive data and illicitly mine for cryptocurrency. This is according to Oligo Security, which dubbed the unpatched vulnerability ShadowRay. The oversight is tracked as CVE-2023-48022, with a critical 9.8 out of 10 CVSS severity rating. On Tuesday the security shop's Avi Lumelsky, Guy Kaplan,...