New critical Ray AI framework vulnerability emerges

Open-source artificial intelligence compute framework Ray has been found to be impacted by a critical vulnerability, tracked as CVE-2023-48023, which could be exploited to facilitate unauthorized node access, according to SecurityWeek. Threat actors could leverage the flaw, which stems from the absence of authentication and authorization support between its dashboard and client, to exfiltrate Ray EC2 instance credentials, a report from Bishop Fox showed. "In other words, even if a Ray administrator explicitly enabled TLS authentication, they would be unable to grant users different permissions, such as read-only access to the Ray dashboard," said Bishop Fox. Anyscale, which maintains Ray, has already been informed regarding the bug but reports have been closed as the company noted the intentional nature of unauthenticated remote code execution. Other critical flaws, including an insecure input validation bug, tracked as CVE-2023-6021, and a server-side request forgery vulnerability, tracked as CVE-2023-48022, also remain unaddressed as they have not been recognized as security bugs.