A command injection existed in Ray's cpu_profile URL parameter allowing malicious users to execute os commands on the system running the ray dashboard remotely without authentication. The issue is fixed in version 2.8.1+. Ray maintainers' response can be found here: www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
ray project ray - |
Hackers exploit Ray framework flaw to breach servers, hijack resources By Bill Toulas March 26, 2024 02:51 PM 0 A new hacking campaign dubbed "ShadowRay" targets an unpatched vulnerability in Ray, a popular open-source AI framework, to hijack computing power and leak sensitive data from thousands of companies. According to a report by application security firm Oligo, these attacks have been underway since at least September 5, 2023, targeting education, cryptocurrency, biopharma, and other secto...
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Anyscale claims issue is 'long-standing design decision' – as users are raided by intruders
Thousands of companies remain vulnerable to a remote-code-execution bug in Ray, an open-source AI framework used by Amazon, OpenAI, and others, that is being abused by miscreants in the wild to steal sensitive data and illicitly mine for cryptocurrency. This is according to Oligo Security, which dubbed the unpatched vulnerability ShadowRay. The oversight is tracked as CVE-2023-48022, with a critical 9.8 out of 10 CVSS severity rating. On Tuesday the security shop's Avi Lumelsky, Guy Kaplan,...