ray@2.11.0 vulnerabilities

Ray provides a simple, universal API for building distributed applications.

latest version

2.20.0
first published

7 years ago
latest version published

3 days ago
licenses detected
- Apache-2.0
  [0,)
View ray package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the ray package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
C Server-side Request Forgery (SSRF) ray is an A system for parallel and distributed Python that unifies the ML ecosystem. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through the dashboard API, via the `url` parameter of the `/log_proxy` API endpoint. An attacker can retrieve the highly privileged IAM credentials required by Ray from the AWS metadata API, due to insufficient input validation within the affected parameter. Notes: The maintainer's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment. The maintainers have made a verification tool available to check a deployment for vulnerability to this issue: https://github.com/ray-project/ray-open-ports-checker How to fix Server-side Request Forgery (SSRF)? There is no fixed version for `ray`.	[0,)

Server-side Request Forgery (SSRF)

ray is an A system for parallel and distributed Python that unifies the ML ecosystem.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through the dashboard API, via the url parameter of the /log_proxy API endpoint. An attacker can retrieve the highly privileged IAM credentials required by Ray from the AWS metadata API, due to insufficient input validation within the affected parameter.

Notes:

The maintainer's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment.

The maintainers have made a verification tool available to check a deployment for vulnerability to this issue: https://github.com/ray-project/ray-open-ports-checker

How to fix Server-side Request Forgery (SSRF)?

There is no fixed version for ray.

[0,)

Go back to all versions of this package

ray@2.11.0 vulnerabilities

Ray provides a simple, universal API for building distributed applications.

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities