Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-hfx6-9t71-qkfw
Vulnerability ID VCID-hfx6-9t71-qkfw
Aliases CVE-2023-6021
GHSA-3pww-qvr8-6mhp
Summary Ray Path Traversal vulnerability LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-29 Path Traversal: '..filename'
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
There are no known severity scores.
Reference id Reference type URL
https://github.com/ray-project/ray
https://github.com/ray-project/ray/releases/tag/ray-2.8.1
https://huntr.com/bounties/5039c045-f986-4cbc-81ac-370fe4b0d3f8
https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023
CVE-2023-6021 https://nvd.nist.gov/vuln/detail/CVE-2023-6021
GHSA-3pww-qvr8-6mhp https://github.com/advisories/GHSA-3pww-qvr8-6mhp
No exploits are available.
There are no known vectors.

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-02T04:46:21.493890+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/ray/CVE-2023-6021.yml 38.6.0