maoning
commented
1 month ago Hi @jimmy-ly00 , thanks for the reporting. This vulnerability is already covered by https://github.com/google/tsunami-security-scanner-plugins/blob/4ce380aea042ef0b75c273447728a81e414139b4/google/detectors/rce/ai/cve202348022/README.md plugin.
This is definitely the type of vulnerability we are interested in. Feel free to open similar requests in the future, and cross reference on the existing plugins to make sure there's no duplicates.
Ray is an framework for scaling AI and Python applications. There was a exploit discovered by Bishop Fox that allows a remote attacker to execute arbitrary code via the job submission API. This is already well-documented in: https://www.vicarius.io/vsociety/posts/the-story-of-shadowray-cve-2023-48022