Open-source artificial intelligence compute framework Ray has been found to be impacted by a critical vulnerability, tracked as CVE-2023-48023, which could be exploited to facilitate unauthorized node access, according to SecurityWeek.
Threat actors could leverage the flaw, which stems from the absence of authentication and authorization support between its dashboard and client, to exfiltrate Ray EC2 instance credentials, a report from Bishop Fox showed.
"In other words, even if a Ray administrator explicitly enabled TLS authentication, they would be unable to grant users different permissions, such as read-only access to the Ray dashboard," said Bishop Fox.
Anyscale, which maintains Ray, has already been informed regarding the bug but reports have been closed as the company noted the intentional nature of unauthenticated remote code execution.
Other critical flaws, including an insecure input validation bug, tracked as CVE-2023-6021, and a server-side request forgery vulnerability, tracked as CVE-2023-48022, also remain unaddressed as they have not been recognized as security bugs.
AI/ML, Third-party code, Vulnerability Management
New critical Ray AI framework vulnerability emerges
Share
An In-Depth Guide to AI
Get essential knowledge and practical strategies to use AI to better your security program.
Related Terms
BannerBrowserBuffer OverflowBugCache CrammingClientCookieDLL InjectionDisassemblyDynamic Link LibraryGet daily email updates
SC Media's daily must-read of the most current and pressing daily news