cbcvebase.
CVE-2023-48022
published 2023-11-28

CVE-2023-48022: Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
81.51%
99.6th percentile
Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment. (Also, within that environment, customers at version 2.52.0 and later can choose to use token authentication.)

Affected

6 ranges
VendorProductVersion rangeFixed in
anyscaleray
anyscaleray
anyscaleray>= 0 < 2.8.12.8.1
anyscaleray0 – 2.49.2
anyscaleray2.9.3 – 2.40.0
ray-projectray-project_rayunspecified – latest

Detection & IOCsextracted from sources · hover to see the quote

port8265
url/api/jobs/
url/api/jobs/{{jobid}}/logs
otherhttp.favicon.hash:463802404
othericon_hash=463802404
domainironern440-group
domainthisisforwork440-ops
sigma
regex("uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)", body)
  • Monitor for unauthenticated POST requests to /api/jobs/ on Ray Dashboard port 8265; successful exploitation returns HTTP 200 with JSON body containing 'logs' key and uid/gid output.
  • Detect Ray cluster compromise by hunting for cron jobs executing every 15 minutes that pull payloads from GitHub repositories.
  • Detect Sockstress-based DDoS tool deployment on compromised Ray nodes; it exploits asymmetric resource consumption by opening large numbers of TCP connections through raw sockets.
  • Detect /etc/hosts and iptables modifications used to block rival mining pools on compromised Ray cluster nodes.
  • Use Shodan/FOFA queries for Ray Dashboard exposure: http.favicon.hash:463802404 or http.html:"ray dashboard" to identify internet-exposed Ray instances.
  • Investigate Python reverse shells opened to attacker infrastructure from Ray cluster nodes for interactive control and data exfiltration of MySQL credentials, AI models, and source code.
  • Check Point IPS signature available: 'Anyscale Ray Remote Code Execution (CVE-2023-48022)' for network-level detection.
  • ·Customers at Ray version 2.52.0 and later can optionally enable token authentication as a defense-in-depth measure.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.