cbcvebase.
CVE-2023-6021
published 2023-11-16

CVE-2023-6021: LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers'…

PriorityP268high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
37.08%
98.3th percentile
LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers' response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023

Affected

2 ranges
VendorProductVersion rangeFixed in
anyscaleray>= 0 < 2.8.12.8.1
ray-projectray-project_rayunspecified – latest

Detection & IOCsextracted from sources · hover to see the quote

url/api/v0/logs/file?node_id=<nodeid>&filename=../../../../../etc%2fpasswd&lines=50000
path/api/v0/logs/file
  • Shodan query to identify exposed Ray Dashboard instances: search for HTML containing 'Ray Dashboard' or favicon hash 463802404
  • FOFA query to identify exposed Ray Dashboard instances: search for body containing 'ray dashboard' or icon_hash 463802404
  • CVE-2023-6021 is an LFI in Ray's log API endpoint (/api/v0/logs/file); exploit uses path traversal via the 'filename' parameter (e.g., ../../../../../etc/passwd) without authentication
  • Successful exploitation returns HTTP 200 with Content-Type text/plain and aiohttp server header; response body contains traversed file contents (e.g., /etc/passwd)
  • The node_id required for exploitation can be extracted from the /nodes?view=summary endpoint using the JSON path '..|objects|.nodeId//empty[0]'
  • Ray Dashboard endpoints are unauthenticated by design; monitor for unexpected GET requests to /api/v0/logs/file with path traversal sequences (e.g., ../ or %2f) in the filename parameter
  • ·CVE-2023-6021 is fixed in Ray version 2.8.1+; deployments on earlier versions are vulnerable
  • ·The LFI vulnerability requires no authentication, making it exploitable against any publicly exposed Ray Dashboard regardless of configuration

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.