{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46424?format=json","vulnerability_id":"VCID-79ae-r9sy-kuc3","summary":"Ray Missing Authorization vulnerability\nLFI in Ray's /static/ directory allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023","aliases":[{"alias":"CVE-2023-6020"},{"alias":"GHSA-6cxr-8q3m-jwrr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/44568?format=json","purl":"pkg:pypi/ray@2.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-bu1m-265h-f7h4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/ray@2.8.1"}],"affected_packages":[],"references":[{"reference_url":"https://github.com/ray-project/ray","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/ray-project/ray"},{"reference_url":"https://github.com/ray-project/ray/releases/tag/ray-2.8.1","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/ray-project/ray/releases/tag/ray-2.8.1"},{"reference_url":"https://huntr.com/bounties/83dd8619-6dc3-4c98-8f1b-e620fedcd1f6","reference_id":"","reference_type":"","scores":[],"url":"https://huntr.com/bounties/83dd8619-6dc3-4c98-8f1b-e620fedcd1f6"},{"reference_url":"https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023","reference_id":"","reference_type":"","scores":[],"url":"https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6020","reference_id":"CVE-2023-6020","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6020"},{"reference_url":"https://github.com/advisories/GHSA-6cxr-8q3m-jwrr","reference_id":"GHSA-6cxr-8q3m-jwrr","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-6cxr-8q3m-jwrr"}],"weaknesses":[{"cwe_id":598,"name":"Use of GET Request Method With Sensitive Query Strings","description":"The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request."},{"cwe_id":862,"name":"Missing Authorization","description":"The product does not perform an authorization check when an actor attempts to access a resource or perform an action."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":null,"exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-79ae-r9sy-kuc3"}