CVE-2023-48023
CRITICAL NUCLEIAnyscale Ray 2.6.3 and 2.8.0 - Server-Side Request Forgery via Log Proxy Endpoint
Title source: llmExploitation Summary
CVE-2023-48023 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
Anyscale Ray 2.6.3 and 2.8.0 allows /log_proxy SSRF. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment
Nuclei Templates (1)
Anyscale Ray 2.6.3 and 2.8.0 - Server-Side Request Forgery
CRITICALVERIFIEDby cookiehanhoan,harryha
Shodan:
http.favicon.hash:463802404 || http.html:"ray dashboard"
FOFA:
icon_hash=463802404 || body="ray dashboard"
References (2)
Core 2
Core References
Exploit, Third Party Advisory
https://bishopfox.com/blog/ray-versions-2-6-3-2-8-0
Product, Release Notes
https://docs.ray.io/en/latest/ray-security/index.html
Scores
CVSS v3
9.1
EPSS
0.3505
EPSS Percentile
98.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-918
Status
published
Products (2)
anyscale/ray
2.6.3
anyscale/ray
2.8.0
Published
Nov 28, 2023
Tracked Since
Feb 18, 2026