.. / CVE-2023-48023

Exploit for Anyscale Ray 2.6.3 and 2.8.0 - Server-Side Request Forgery (CVE-2023-48023)

Description:

The Ray Dashboard API is affected by a Server-Side Request Forgery (SSRF) vulnerability in the url parameter of the /log_proxy API endpoint. The API does not perform sufficient input validation within the affected parameter and any HTTP or HTTPS URLs are accepted as valid.

Nuclei Template

View the template here CVE-2023-48023.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2023/CVE-2023-48023.yaml
Copy

References:

https://bishopfox.com/blog/ray-versions-2-6-3-2-8-0
https://security.snyk.io/vuln/SNYK-PYTHON-RAY-6096054
https://nvd.nist.gov/vuln/detail/CVE-2023-48023
https://huntr.com/bounties/448bcada-9f6f-442e-8950-79f41efacfed/