vendor:
Ray OS
by:
Fire_Wolf
6.1
CVSS
HIGH
Command Injection Remote Code Execution (Unauthorized)
78
CWE
Product Name: Ray OS
Affected Version From: <= 2.6.3
Affected Version To: 2.6.2003
Patch Exists: NO
Related CWE: CVE-2023-6019
CPE: a:ray-project:ray:2.6.3
Platforms Tested: Ubuntu 20.04.6 LTS
2024
Ray OS v2.6.3 – Command Injection RCE(Unauthorized)
The Ray Project dashboard in versions <= 2.6.3 is vulnerable to command injection due to lack of validation in the format parameter. This vulnerability allows an attacker to execute arbitrary commands in the system shell. If the system is configured for passwordless sudo, the attacker can gain a root shell; otherwise, a user-level shell can be obtained.
Mitigation:
To mitigate this vulnerability, ensure proper input validation is implemented for user-supplied data before executing commands in the system shell. Additionally, avoid configuring systems for passwordless sudo unless absolutely necessary.
