CVE-2023-6021
published 2023-11-16CVE-2023-6021: LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers'…
PriorityP268high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
37.08%
98.3th percentile
LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers' response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| anyscale | ray | >= 0 < 2.8.1 | 2.8.1 |
| ray-project | ray-project_ray | unspecified – latest | — |
Detection & IOCsextracted from sources · hover to see the quote
url/api/v0/logs/file?node_id=<nodeid>&filename=../../../../../etc%2fpasswd&lines=50000
path/api/v0/logs/file
- →Shodan query to identify exposed Ray Dashboard instances: search for HTML containing 'Ray Dashboard' or favicon hash 463802404
- →FOFA query to identify exposed Ray Dashboard instances: search for body containing 'ray dashboard' or icon_hash 463802404
- →CVE-2023-6021 is an LFI in Ray's log API endpoint (/api/v0/logs/file); exploit uses path traversal via the 'filename' parameter (e.g., ../../../../../etc/passwd) without authentication
- →Successful exploitation returns HTTP 200 with Content-Type text/plain and aiohttp server header; response body contains traversed file contents (e.g., /etc/passwd)
- →The node_id required for exploitation can be extracted from the /nodes?view=summary endpoint using the JSON path '..|objects|.nodeId//empty[0]'
- →Ray Dashboard endpoints are unauthenticated by design; monitor for unexpected GET requests to /api/v0/logs/file with path traversal sequences (e.g., ../ or %2f) in the filename parameter
- ·CVE-2023-6021 is fixed in Ray version 2.8.1+; deployments on earlier versions are vulnerable ↗
- ·The LFI vulnerability requires no authentication, making it exploitable against any publicly exposed Ray Dashboard regardless of configuration
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Ray Missing Authorization vulnerability
ghsa·2023-11-16
CVE-2023-6020 [CRITICAL] CWE-598 Ray Missing Authorization vulnerability
Ray Missing Authorization vulnerability
LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
GHSA
Ray Path Traversal vulnerability
ghsa·2023-11-16
CVE-2023-6021 [CRITICAL] CWE-22 Ray Path Traversal vulnerability
Ray Path Traversal vulnerability
LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
OSV
Ray Path Traversal vulnerability
osv·2023-11-16
CVE-2023-6021 [CRITICAL] Ray Path Traversal vulnerability
Ray Path Traversal vulnerability
LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
OSV
Ray Missing Authorization vulnerability
osv·2023-11-16
CVE-2023-6020 [CRITICAL] Ray Missing Authorization vulnerability
Ray Missing Authorization vulnerability
LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
Red Hat
ray: Ray Dashboard Command Injection
vendor_redhat·2025-08-07·CVSS 9.8
CVE-2023-6019 [CRITICAL] CWE-78 ray: Ray Dashboard Command Injection
ray: Ray Dashboard Command Injection
A command injection existed in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication. The issue is fixed in version 2.8.1+. Ray maintainers' response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
A flaw was found in ray. The `cpu_profile` URL parameter allows for command injection, enabling a remote, unauthenticated attacker to execute arbitrary operating system commands on the system hosting the Ray dashboard. This exploitation occurs directly through a crafted URL. Successful command execution can lead to significant system compromise.
Statement: No Red Hat products
No detection rules found.
Nuclei
Ray API - Local File Inclusion
nuclei·CVSS 7.5
CVE-2023-6021 [HIGH] Ray API - Local File Inclusion
Ray API - Local File Inclusion
LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication.
Template:
id: CVE-2023-6021
info:
name: Ray API - Local File Inclusion
author: byt3bl33d3r
severity: high
description: |
LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication.
impact: |
Unauthenticated attackers can read any file on the server via the log API endpoint, potentially accessing sensitive configuration files, credentials, and application data.
remediation: |
Update Ray to a patched version that properly validates file paths in the logs endpoint.
reference:
- https://huntr.com/bounties/5039c045-f986-4cbc-81ac-370fe4b0d3f8/
- https://nvd.nist.gov/vuln/detail/CVE-2023-6021
classification:
cvss-metric
2023-11-16
Published