High

ray

CSRF Leading to RCE via /api/job_agent/jobs/

A Cross-Site Request Forgery (CSRF) vulnerability in Ray version 2.9.1 allows attackers to achieve Remote Code Execution (RCE) by redirecting a user to a malicious website. The vulnerability stems from insufficient validation of user-generated requests, particularly through the /api/job_agent/jobs/ endpoint. This issue was not specified to be patched in the provided document, highlighting the need for manual intervention.

Available publicly on May 02 2024

8.8

CVE:

No CVE

CWE:

352:Cross-Site Request Forgery (CSRF)

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Credit:

ehtec
AssessDetect

Unavailable

Remediate
Remediation Steps
  • Remove the permissive Access-Control-Allow-Origin policy.
  • Enforce a custom forbidden header that cannot be spoofed by JavaScript.
  • Enforce application/json content type for requests to prevent simple requests that bypass pre-flight checks.
  • Implement User-Agent checks similar to those in other endpoints to block requests from common browsers.
  • Regularly review and update security policies and configurations to protect against emerging threats and vulnerabilities.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.