CVE-2023-48022
Severity CVSS v4.0:
Pending analysis
Type:
CWE-918
Server-Side Request Forgery (SSRF)
Publication date:
28/11/2023
Last modified:
17/12/2025
Description
Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment. (Also, within that environment, customers at version 2.52.0 and later can choose to use token authentication.)
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:anyscale:ray:2.6.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:anyscale:ray:2.8.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://atlas.mitre.org/studies/AML.CS0023
- https://bishopfox.com/blog/ray-versions-2-6-3-2-8-0
- https://docs.ray.io/en/latest/ray-security/index.html
- https://docs.ray.io/en/latest/ray-security/token-auth.html
- https://www.vicarius.io/vsociety/posts/shadowray-cve-2023-48022-exploit
- https://bishopfox.com/blog/ray-versions-2-6-3-2-8-0
- https://docs.ray.io/en/latest/ray-security/index.html
- https://www.vicarius.io/vsociety/posts/shadowray-cve-2023-48022-exploit
- https://www.vicarius.io/vsociety/posts/the-story-of-shadowray-cve-2023-48022