CVE-2023-6021

HIGH NUCLEI

Ray's log API - LFI

Title source: llm

Description

LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers' response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023

Nuclei Templates (1)

Ray API - Local File Inclusion

HIGHVERIFIEDby byt3bl33d3r

Shodan: html:"Ray Dashboard" || http.favicon.hash:463802404 || http.html:"ray dashboard"

FOFA: body="ray dashboard" || icon_hash=463802404

References (1)

[Exploit] https://huntr.com/bounties/5039c045-f986-4cbc-81ac-370fe4b0d3f8

Scores

CVSS v3 7.5

EPSS 0.8732

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-29 CWE-22

Status published

Products (2)

pypi/ray 0 - 2.8.1PyPI

ray_project/ray

Published Nov 16, 2023

Tracked Since Feb 18, 2026