Homepage
About Snyk

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Affecting ray package, versions [,2.8.0)

Severity

 Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Mature
    EPSS
    93.2% (100th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-RAY-6068115
  • published 17 Nov 2023
  • disclosed 16 Nov 2023
  • credit Bryce Bearchell
Report a new vulnerability Found a mistake?

Introduced: 16 Nov 2023

CVE-2023-6019 Open this link in a new tab
CWE-78 Open this link in a new tab

How to fix?

Upgrade ray to version 2.8.0 or higher.

Overview

ray is an A system for parallel and distributed Python that unifies the ML ecosystem.

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') via the format parameter. An attacker can execute OS commands on the system running the dashboard remotely without authentication.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
10 critical
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Changed
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High
Expand this section

NVD

9.8 critical