CVE-2023-6020

HIGH NUCLEI

Ray's <static> - Info Disclosure

Title source: llm

Description

LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication.

Exploits (1)

metasploit WORKING POC
by byt3bl33d3r <[email protected]>, danmcinerney <[email protected]>, Takahiro Yokoyama · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/ray_lfi_cve_2023_6020.rb

Nuclei Templates (1)

Ray Static File - Local File Inclusion
HIGHVERIFIEDby byt3bl33d3r
Shodan: http.favicon.hash:463802404 || http.html:"ray dashboard"
FOFA: body="ray dashboard" || icon_hash=463802404

References (1)

Scores

CVSS v3 7.5
EPSS 0.8145
EPSS Percentile 99.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-862
Status published
Products (2)
pypi/ray 0 - 2.8.1PyPI
ray_project/ray
Published Nov 16, 2023
Tracked Since Feb 18, 2026