Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-79ae-r9sy-kuc3
Vulnerability ID VCID-79ae-r9sy-kuc3
Aliases CVE-2023-6020
GHSA-6cxr-8q3m-jwrr
Summary Ray Missing Authorization vulnerability LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-598 Use of GET Request Method With Sensitive Query Strings
CWE-862 Missing Authorization
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
There are no known severity scores.
Reference id Reference type URL
https://github.com/ray-project/ray
https://github.com/ray-project/ray/releases/tag/ray-2.8.1
https://huntr.com/bounties/83dd8619-6dc3-4c98-8f1b-e620fedcd1f6
https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
CVE-2023-6020 https://nvd.nist.gov/vuln/detail/CVE-2023-6020
GHSA-6cxr-8q3m-jwrr https://github.com/advisories/GHSA-6cxr-8q3m-jwrr
No exploits are available.
There are no known vectors.

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-02T04:46:21.403296+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/ray/CVE-2023-6020.yml 38.6.0