Ray Log File Local File Include

CVE-2023-6021 is a Local File Inclusion (LFI) vulnerability in Ray's log API endpoint. The endpoint does not require authentication, enabling an attacker to read any file on the server by crafting a malicious request [1].

Exploitation does not require any prior access or privileges; an attacker can send an HTTP request to the vulnerable endpoint from any network position that can reach the Ray Dashboard. According to Ray maintainers, the security boundary of Ray is intended to be outside the cluster, meaning the dashboard should never be exposed to untrusted networks. However, when it is, this bug allows arbitrary file reads [3].

The impact is information disclosure: an attacker can read sensitive files such as configuration files, credentials, or proprietary data. This is distinct from remote code execution, but can significantly compromise confidentiality [1][3].

The vulnerability is fixed in Ray version 2.8.1 [2]. Users are strongly advised to upgrade immediately and ensure their Ray clusters are not exposed to untrusted networks as per best practices [3].