CVE-2023-48023

CRITICAL NUCLEI

Anyscale Ray - SSRF

Title source: rule

Description

Anyscale Ray 2.6.3 and 2.8.0 allows /log_proxy SSRF. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment

Nuclei Templates (1)

Anyscale Ray 2.6.3 and 2.8.0 - Server-Side Request Forgery

CRITICALVERIFIEDby cookiehanhoan,harryha

Shodan: http.favicon.hash:463802404 || http.html:"ray dashboard"

FOFA: icon_hash=463802404 || body="ray dashboard"

References (2)

[Exploit, Third Party Advisory] https://bishopfox.com/blog/ray-versions-2-6-3-2-8-0

[Product, Release Notes] https://docs.ray.io/en/latest/ray-security/index.html

Scores

CVSS v3 9.1

EPSS 0.8919

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CWE

CWE-918

Status published

Products (2)

anyscale/ray 2.6.3

anyscale/ray 2.8.0

Published Nov 28, 2023

Tracked Since Feb 18, 2026