cbcvebase.
CVE-2023-6020
published 2023-11-16

CVE-2023-6020: LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication.

PriorityP264high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
14.65%
96.2th percentile
LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication.

Affected

2 ranges
VendorProductVersion rangeFixed in
anyscaleray>= 0 < 2.8.12.8.1
ray-projectray-project_rayunspecified – latest

Detection & IOCsextracted from sources · hover to see the quote

path/static/js/../../../../../../../../../../../../../../etc/passwd
path/static/
otherhttp.favicon.hash:463802404
yara
regex: root:.*:0:0:
  • Detect LFI exploitation attempts against Ray dashboard by monitoring GET requests to /static/ containing path traversal sequences (../../) targeting sensitive files such as /etc/passwd.
  • HTTP responses to LFI exploit attempts will return Content-Type: application/octet-stream and include the aiohttp header; match both alongside HTTP 200 status to confirm successful exploitation.
  • Use Shodan/FOFA queries to identify exposed Ray dashboard instances that may be vulnerable: favicon hash 463802404 or HTML body containing 'ray dashboard'.
  • Ray dashboard bound to 0.0.0.0 (default) is publicly reachable; monitor for unauthenticated access to the Ray Dashboard port as an indicator of potential exploitation.
  • ·CVE-2023-6020 affects Ray versions before 2.8.1; the LFI via /static/ directory path traversal is fixed in version 2.8.1+.
  • ·The vulnerability requires no authentication, making any publicly exposed Ray dashboard instance immediately exploitable without credentials.
  • ·EPSS score of 0.81449 (99.177th percentile) indicates very high likelihood of exploitation in the wild; prioritize patching or network isolation.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.