cbcvebase.
CVE-2023-48023
published 2023-11-28

CVE-2023-48023: Anyscale Ray 2.6.3 and 2.8.0 allows /log_proxy SSRF. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation…

PriorityP270critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
35.05%
98.2th percentile
Anyscale Ray 2.6.3 and 2.8.0 allows /log_proxy SSRF. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment

Affected

4 ranges
VendorProductVersion rangeFixed in
anyscaleray
anyscaleray
anyscaleray>= 0 < 2.8.12.8.1
ray-projectray-project_rayunspecified – latest

Detection & IOCsextracted from sources · hover to see the quote

url/log_proxy?url=http://{{interactsh-url}}
path/log_proxy
port8265
otherhttp.favicon.hash:463802404
othericon_hash=463802404
  • Detect SSRF exploitation attempts by monitoring GET requests to the /log_proxy endpoint with a 'url' parameter containing arbitrary HTTP/HTTPS URLs, particularly targeting internal metadata services (e.g., AWS IMDSv1).
  • Hunt for Ray Dashboard instances exposed on port 8265 binding to 0.0.0.0, which indicates misconfigured deployments vulnerable to unauthenticated SSRF exploitation.
  • Use Shodan query 'http.favicon.hash:463802404' or FOFA query 'icon_hash=463802404' to identify publicly exposed Ray Dashboard instances for asset discovery and exposure assessment.
  • Monitor for exploitation of the SSRF to retrieve AWS IAM credentials via the AWS metadata API endpoint, which is a known post-exploitation objective for this CVE.
  • Alert on DNS interactions originating from Ray Dashboard processes to out-of-band callback infrastructure, as the Nuclei template uses interactsh DNS callbacks to confirm SSRF.
  • ·The SSRF is exploitable without any authentication, requiring only network connectivity to the Ray Dashboard port (8265 by default); no credentials or prior access are needed.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.