Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Ray is vulnerable to RCE via Safari & Firefox Browsers through DNS Rebinding Attack
Vulnerability Description
Ray is an AI compute engine. Prior to version 2.52.0, developers working with Ray as a development tool can be exploited via a critical RCE vulnerability exploitable via Firefox and Safari. This vulnerability is due to an insufficient guard against browser-based attacks, as the current defense uses the User-Agent header starting with the string "Mozilla" as a defense mechanism. This defense is insufficient as the fetch specification allows the User-Agent header to be modified. Combined with a DNS rebinding attack against the browser, and this vulnerability is exploitable against a developer running Ray who inadvertently visits a malicious website, or is served a malicious advertisement (malvertising). This issue has been patched in version 2.52.0.
CVSS Information
N/A
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Vulnerability Title
Ray 跨站请求伪造漏洞
Vulnerability Description
Ray是ray-project开源的一个用于扩展 AI 和 Python 应用程序的统一框架。 Ray 2.52.0之前版本存在跨站请求伪造漏洞,该漏洞源于对基于浏览器的攻击防护不足,可能导致远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A