GHSA-6cxr-8q3m-jwrr

Suggest an improvement
Source
https://github.com/advisories/GHSA-6cxr-8q3m-jwrr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-6cxr-8q3m-jwrr/GHSA-6cxr-8q3m-jwrr.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-6cxr-8q3m-jwrr
Aliases
  • CVE-2023-6020
Published
2023-11-16T21:30:46Z
Modified
2025-01-09T23:46:08.669569Z
Severity
  • 9.3 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N CVSS Calculator
Summary
Ray Missing Authorization vulnerability
Details

LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023

Database specific 
{
    "severity": "CRITICAL",
    "github_reviewed_at": "2023-11-27T23:21:39Z",
    "cwe_ids": [
        "CWE-598",
        "CWE-862"
    ],
    "github_reviewed": true,
    "nvd_published_at": "2023-11-16T21:15:09Z"
}
References

Affected packages

PyPI / ray

Package

Name
ray
View open source insights on deps.dev
Purl
pkg:pypi/ray

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.8.1

Affected versions

0.*

0.1.1
0.1.2
0.2.0
0.2.1
0.2.2
0.3.0
0.3.1
0.4.0
0.5.0
0.5.2
0.5.3
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.7.7
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7

1.*

1.0.0rc0
1.0.0rc1
1.0.0rc2
1.0.0
1.0.1
1.0.1.post1
1.1.0
1.2.0
1.3.0
1.4.0rc1
1.4.0rc2
1.4.0
1.4.1
1.5.0
1.5.1
1.5.2
1.6.0
1.7.0rc0
1.7.0
1.7.1
1.8.0
1.9.0rc1
1.9.0rc2
1.9.0
1.9.1rc0
1.9.1
1.9.2
1.10.0rc0
1.10.0
1.11.0rc0
1.11.0rc1
1.11.0
1.11.1
1.12.0rc1
1.12.0
1.12.1
1.13.0

2.*

2.0.0rc0
2.0.0rc1
2.0.0
2.0.1
2.1.0
2.2.0
2.3.0rc0
2.3.0
2.3.1
2.4.0
2.5.0
2.5.1
2.6.0
2.6.1
2.6.2
2.6.3
2.7.0rc0
2.7.0
2.7.1
2.7.2
2.8.0