Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment. (Also, within that environment, customers at version 2.52.0 and later can choose to use token authentication.)
The attacker sends a specially crafted request to the job submission API of the Anyscale Ray platform without needing to possess any credentials. The API accepts tasks for execution and processes them in the runtime environment, which corresponds to an SSRF-class vulnerability (CWE-918) or leads to arbitrary code execution in the service context. The manufacturer maintains that Ray is intended exclusively for use in a strictly controlled network environment, however, in practice instances are often exposed externally.
An unauthenticated remote attacker can gain full control over the system running Ray, including reading and modifying data and affecting service availability.
Access to the Ray cluster should be restricted to trusted, isolated internal networks only and the job submission API should not be exposed publicly. The manufacturer indicates that starting from version 2.52.0, token authentication is available — it should be enabled. Patches provided by the manufacturer should be applied according to the references.
Anyscale Ray in versions 2.6.3 and 2.8.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAnyscale Ray
APPAnyscale2.6.32.8.0
Related vulnerabilities
SSRF w Anyscale Ray poprzez endpoint /log_proxy
Ray is an AI compute engine. From version 2.54.0 to before version 2.55.0, Ray Data registers custom Arrow ext...
A path traversal vulnerability was identified in Ray Dashboard (default port 8265) in Ray versions prior to 2....
Ray is an AI compute engine. In versions 2.53.0 and below, thedashboard HTTP server blocks browser-origin POST...