Primary

Context

Ray Insertion of Sensitive Information into Log File Vulnerability

Vulnerability

Patched

A vulnerability exists in the Ray package, specifically in versions prior to 2.43.0, allowing for the unintentional logging of sensitive information, such as the Redis password. This issue arises when the password is passed as an argument and logging is enabled. The vulnerability could be exploited if the logs are accessible to an attacker who can reach the Redis instance.

Impact

Exploitation of this vulnerability could lead to the unauthorized disclosure of the Redis password, potentially allowing an attacker to access the Redis instance and its data.

Reproduction

To reproduce this vulnerability, start the Ray Client server and pass the Redis password as an argument. Ensure that logging is enabled and that the Redis instance requires password authentication. If the logs are accessible, the password will be exposed in plain text.

Remediation

Users are advised to upgrade to Ray version 2.43.0 or later, and to rotate their Redis password.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

3.3

exploitability

5.8

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

3.3

exploitability

5.8

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Ray Insertion of Sensitive Information into Log File Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

ray

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating