CSRF Leading to RCE via /api/job_agent/jobs/
A Cross-Site Request Forgery (CSRF) vulnerability in Ray version 2.9.1 allows attackers to achieve Remote Code Execution (RCE) by redirecting a user to a malicious website. The vulnerability stems from insufficient validation of user-generated requests, particularly through the /api/job_agent/jobs/ endpoint. This issue was not specified to be patched in the provided document, highlighting the need for manual intervention.
Available publicly on May 02 2024
Remediation Steps
- Remove the permissive
Access-Control-Allow-Origin
policy. - Enforce a custom forbidden header that cannot be spoofed by JavaScript.
- Enforce
application/json
content type for requests to prevent simple requests that bypass pre-flight checks. - Implement User-Agent checks similar to those in other endpoints to block requests from common browsers.
- Regularly review and update security policies and configurations to protect against emerging threats and vulnerabilities.
Patch Details
- Fixed Version: N/A
- Patch Commit: N/A
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.