CVE-2023-48022
Published: 28 November 2023
Summary
CVE-2023-48022 is a critical-severity SSRF (CWE-918) vulnerability in Anyscale Ray. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-48022 is a remote code execution vulnerability affecting the job submission API in Anyscale Ray versions 2.6.3 and 2.8.0. The flaw, classified under CWE-918, permits unauthenticated network attackers to submit jobs that result in arbitrary code execution on the Ray cluster, producing a CVSS 3.1 base score of 9.8.
An attacker with network access to an exposed Ray instance can invoke the job submission endpoint to run attacker-controlled code, achieving full control over the affected cluster without requiring credentials or user interaction.
Vendor documentation states that Ray is designed only for strictly controlled network environments and notes that releases at 2.52.0 and later allow customers to enable token authentication as an optional control; the provided references include Ray security guidance and details on the ShadowRay exploitation technique.
The vulnerability carries an EPSS score that has reached 0.92, and the referenced materials link it to AI/ML attack studies in the MITRE ATLAS framework, reflecting its relevance to distributed machine-learning workloads.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-52111
Vulnerability details
Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use…
more
outside of a strictly controlled network environment. (Also, within that environment, customers at version 2.52.0 and later can choose to use token authentication.)
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Validates server-side URLs and resource references to block SSRF attempts.
Detects server-side request forgery through monitoring of unexpected outbound connections.