CVE-2023-6020
published 2023-11-16CVE-2023-6020: LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication.
PriorityP264high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
14.65%
96.2th percentile
LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| anyscale | ray | >= 0 < 2.8.1 | 2.8.1 |
| ray-project | ray-project_ray | unspecified – latest | — |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
regex: root:.*:0:0:
- →Detect LFI exploitation attempts against Ray dashboard by monitoring GET requests to /static/ containing path traversal sequences (../../) targeting sensitive files such as /etc/passwd. ↗
- →HTTP responses to LFI exploit attempts will return Content-Type: application/octet-stream and include the aiohttp header; match both alongside HTTP 200 status to confirm successful exploitation. ↗
- →Use Shodan/FOFA queries to identify exposed Ray dashboard instances that may be vulnerable: favicon hash 463802404 or HTML body containing 'ray dashboard'. ↗
- →Ray dashboard bound to 0.0.0.0 (default) is publicly reachable; monitor for unauthenticated access to the Ray Dashboard port as an indicator of potential exploitation. ↗
- ·CVE-2023-6020 affects Ray versions before 2.8.1; the LFI via /static/ directory path traversal is fixed in version 2.8.1+. ↗
- ·The vulnerability requires no authentication, making any publicly exposed Ray dashboard instance immediately exploitable without credentials. ↗
- ·EPSS score of 0.81449 (99.177th percentile) indicates very high likelihood of exploitation in the wild; prioritize patching or network isolation. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Ray Missing Authorization vulnerability
ghsa·2023-11-16
CVE-2023-6020 [CRITICAL] CWE-598 Ray Missing Authorization vulnerability
Ray Missing Authorization vulnerability
LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
GHSA
Ray Path Traversal vulnerability
ghsa·2023-11-16
CVE-2023-6021 [CRITICAL] CWE-22 Ray Path Traversal vulnerability
Ray Path Traversal vulnerability
LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
OSV
Ray Path Traversal vulnerability
osv·2023-11-16
CVE-2023-6021 [CRITICAL] Ray Path Traversal vulnerability
Ray Path Traversal vulnerability
LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
OSV
Ray Missing Authorization vulnerability
osv·2023-11-16
CVE-2023-6020 [CRITICAL] Ray Missing Authorization vulnerability
Ray Missing Authorization vulnerability
LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
Red Hat
ray: Ray Dashboard Command Injection
vendor_redhat·2025-08-07·CVSS 9.8
CVE-2023-6019 [CRITICAL] CWE-78 ray: Ray Dashboard Command Injection
ray: Ray Dashboard Command Injection
A command injection existed in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication. The issue is fixed in version 2.8.1+. Ray maintainers' response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
A flaw was found in ray. The `cpu_profile` URL parameter allows for command injection, enabling a remote, unauthenticated attacker to execute arbitrary operating system commands on the system hosting the Ray dashboard. This exploitation occurs directly through a crafted URL. Successful command execution can lead to significant system compromise.
Statement: No Red Hat products
No detection rules found.
Metasploit
Ray static arbitrary file read
metasploit
Ray static arbitrary file read
Ray static arbitrary file read
Ray before 2.8.1 is vulnerable to a local file inclusion.
Nuclei
Ray Static File - Local File Inclusion
nuclei·CVSS 7.5
CVE-2023-6020 [HIGH] Ray Static File - Local File Inclusion
Ray Static File - Local File Inclusion
LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication.
Template:
id: CVE-2023-6020
info:
name: Ray Static File - Local File Inclusion
author: byt3bl33d3r
severity: high
description: |
LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication.
impact: |
Unauthenticated attackers can read any file on the server via path traversal in the /static/ directory, potentially exposing sensitive configuration files and credentials.
remediation: |
Update Ray to a patched version that restricts static file access.
reference:
- https://huntr.com/bounties/83dd8619-6dc3-4c98-8f1b-e620fedcd1f6/
- https://nvd.nist.gov/vuln/detail/CVE-2023-6020
classification:
cvss-metrics:
2023-11-16
Published