@blamejs/exceptd-skills 0.13.79 → 0.13.80

package/data/atlas-ttps.json

@@ -1525,7 +1525,10 @@
       "ATLAS"
     ],
     "stix_id": "attack-pattern--f13dede7-12ee-5f0e-985a-4f801aecb681",
-    "is_subtechnique": false
+    "is_subtechnique": false,
+    "cve_refs": [
+      "CVE-2023-48022"
+    ]
   },
   "AML.T0029": {
     "id": "AML.T0029",
@@ -1573,7 +1576,10 @@
       "ATLAS"
     ],
     "stix_id": "attack-pattern--7bbac64e-2b1d-5cb0-a442-bb7573b0a328",
-    "is_subtechnique": false
+    "is_subtechnique": false,
+    "cve_refs": [
+      "CVE-2023-48022"
+    ]
   },
   "AML.T0035": {
     "id": "AML.T0035",
@@ -1589,7 +1595,10 @@
       "ATLAS"
     ],
     "stix_id": "attack-pattern--801658f2-81cd-5935-93c7-5e6e2d80e669",
-    "is_subtechnique": false
+    "is_subtechnique": false,
+    "cve_refs": [
+      "CVE-2023-48022"
+    ]
   },
   "AML.T0036": {
     "id": "AML.T0036",
@@ -1685,7 +1694,10 @@
       "ATLAS"
     ],
     "stix_id": "attack-pattern--ebeed0c7-c5de-5049-8f27-efcae5f88b00",
-    "is_subtechnique": false
+    "is_subtechnique": false,
+    "cve_refs": [
+      "CVE-2023-48022"
+    ]
   },
   "AML.T0050": {
     "id": "AML.T0050",

package/data/attack-techniques.json

@@ -269,6 +269,7 @@
       "DS0017"
     ],
     "cve_refs": [
+      "CVE-2023-48022",
       "CVE-2024-50050",
       "CVE-2025-1094",
       "CVE-2025-11837",
@@ -825,6 +826,7 @@
       "CVE-2023-33538",
       "CVE-2023-3519",
       "CVE-2023-39780",
+      "CVE-2023-48022",
       "CVE-2023-52163",
       "CVE-2024-12987",
       "CVE-2024-1709",
@@ -2458,6 +2460,7 @@
     "name": "Resource Hijacking",
     "version": "v19",
     "cve_refs": [
+      "CVE-2023-48022",
       "MAL-2024-PYPI-ULTRALYTICS-XMRIG"
     ],
     "description_full": "Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. Resource hijacking may take a number of different forms. For example, adversaries may: * Leverage compute resources in order to mine cryptocurrency * Sell network bandwidth to proxy networks * Generate SMS traffic for profit * Abuse cloud-based messaging services to send large quantities of spam messages In some cases, adversaries may leverage multiple types of Resource Hijacking at once.(Citation: Sysdig Cryptojacking Proxyjacking 2023)",

package/data/cve-catalog.json

@@ -11296,6 +11296,118 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "NVIDIA Triton Inference Server has a second authentication bypass (CWE-288) reachable unauthenticated over the network, enabling privilege escalation and information disclosure; fixed in r26.03. NVD scores 9.8; NVIDIA scores 7.3."
   },
+  "CVE-2023-48022": {
+    "name": "Anyscale Ray Job Submission API Unauthenticated RCE (ShadowRay)",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NVD CVSS v3.1 base 9.8 (CRITICAL); NVD marks the record DISPUTED. NVD assigns CWE-918; the operational root cause is missing authorization (CWE-862) on the Ray Job Submission / Dashboard API, which accepts and runs attacker-supplied code without authentication.",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "Public exploit and detection content exist (e.g. github.com/jakabakos/ShadowRay-RCE-PoC-CVE-2023-48022 and a ProjectDiscovery nuclei template): an unauthenticated request to an internet-exposed Ray Dashboard / Job Submission API submits a Python payload that runs on worker nodes.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by Bishop Fox and tracked at scale by Oligo Security (ShadowRay / ShadowRay 2.0). The abused surface is the Job Submission API of a widely deployed AI/ML compute framework.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the significance is that the exposed compute is AI/ML infrastructure (model weights, training data, cloud credentials) and the impact includes AI artifact theft.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "Confirmed mass exploitation in the wild. Oligo's ShadowRay 2.0 campaign (active since September 2024, reported through 2026) turned exposed Ray clusters into crypto-mining botnets and exfiltrated model weights and cloud credentials; reporting counts on the order of 230,000 internet-exposed Ray environments. Not on the CISA KEV catalog because NVD lists the CVE as disputed.",
+    "affected": "Anyscale Ray (open-source distributed AI/ML compute framework). NVD records 2.6.3 and 2.8.0; the unauthenticated Job Submission / Dashboard API behavior persists across releases until network controls or token authentication (added in 2.52.0) are applied.",
+    "affected_versions": [
+      "Anyscale Ray 2.6.3",
+      "Anyscale Ray 2.8.0",
+      "Anyscale Ray (Job Submission API exposed without token auth, < 2.52.0)"
+    ],
+    "vector": "Ray's Dashboard / Job Submission API accepts a job specification containing Python code and runs it on cluster worker nodes without requiring authentication (missing authorization). An unauthenticated attacker who can reach an exposed Ray dashboard achieves remote code execution across the cluster, then harvests AI artifacts and cloud credentials and hijacks compute for crypto mining.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N / UI:N — network-reachable, unauthenticated, low-complexity. The precondition is an internet-exposed Ray dashboard.",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No code patch — the vendor disputes this is a vulnerability and treats the open Job API as intended for trusted networks. Mitigation: never expose the Ray dashboard / Job Submission API to untrusted networks, enable token authentication (Ray 2.52.0+), and place the cluster behind network controls.",
+    "vendor_update_paths": [
+      "Do not expose the Ray dashboard / Job Submission API to untrusted networks. Enable token authentication (Ray 2.52.0 or later). Restrict the dashboard to a controlled network segment and put an authenticating proxy in front. Treat any internet-exposed Ray cluster as compromised and rotate cloud credentials and model artifacts."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-IA-2": "Authentication is treated as out-of-scope for the Ray Job API because the vendor frames the cluster as a controlled-network deployment; in practice the API is internet-exposed and unauthenticated.",
+      "NIST-800-53-SC-7": "Boundary-protection control assumes the AI compute cluster is network-isolated; reality is hundreds of thousands of internet-exposed dashboards.",
+      "ISO-27001-2022-A.5.15": "Access-control policy does not require authentication on the AI compute framework's job API, relying on an assumed controlled network.",
+      "NIS2-Art21-patch-management": "Article 21 measures do not address a disputed, no-patch vulnerability whose only remediation is configuration and network control.",
+      "DORA-Art-9": "ICT protection measures do not model an unauthenticated, actively-exploited AI compute control plane as an ICT-risk event.",
+      "UK-CAF-B2": "Identity and Access Control objective has no requirement to authenticate the AI compute framework's job submission API.",
+      "AU-ISM-1546": "Patch-application control offers nothing for a disputed, no-patch flaw remediated only by configuration.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework rejects the 'controlled network is the security control' assumption for AI compute; an exposed, unauthenticated Job API is RCE plus AI-artifact and credential theft."
+    },
+    "atlas_refs": [
+      "AML.T0049",
+      "AML.T0034",
+      "AML.T0035",
+      "AML.T0025"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059",
+      "T1496"
+    ],
+    "rwep_score": 68,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 28,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "P1/High (RWEP 68, >= 60 \"patch within 72 hours\" band per lib/scoring.js timeline). poc_available=20 + active_exploitation confirmed=20 (ShadowRay 2.0 mass exploitation) + blast_radius=28 (≈230k exposed Ray environments) with no patch credit (disputed, configuration-only mitigation). Not on CISA KEV because NVD lists the CVE as disputed — a case where RWEP, not KEV or CVSS alone, captures the real-world priority.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2023-48022",
+    "cwe_refs": [
+      "CWE-862",
+      "CWE-918"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Internet-reachable Ray dashboard (default port 8265) or Job Submission API responding without authentication.",
+        "Ray job specifications submitted from unexpected source IPs that spawn shell commands, miners, or reverse shells on worker nodes.",
+        "Outbound connections from Ray workers to mining pools or attacker infrastructure; cloud credential or model-weight egress following job submission.",
+        "Ray clusters exposed without token authentication (pre-2.52.0 default, or token auth not enabled) — the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures derived from NVD CVE-2023-48022 (disputed; operational root cause missing authorization on the Ray Job Submission API), the Bishop Fox advisory (https://bishopfox.com/blog/ray-versions-2-6-3-2-8-0), and Oligo Security's ShadowRay / ShadowRay 2.0 in-the-wild reporting. MITRE ATLAS case study AML.CS0023."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2023-48022",
+      "https://bishopfox.com/blog/ray-versions-2-6-3-2-8-0",
+      "https://atlas.mitre.org/studies/AML.CS0023",
+      "https://www.darkreading.com/cyber-risk/shadowray-20-ai-clusters-crypto-botnets"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "Anyscale (Ray Security)",
+        "advisory_id": "ray-security-docs",
+        "url": "https://docs.ray.io/en/latest/ray-security/index.html",
+        "severity": "critical",
+        "published_date": "2023-11-28"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2023-48022",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48022",
+        "severity": "critical",
+        "published_date": "2023-11-28"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from NVD (disputed; NVD CWE-918, operational root cause CWE-862; NIST CVSS 9.8) + the Bishop Fox advisory + Oligo Security ShadowRay reporting + MITRE ATLAS case study AML.CS0023. A landmark actively-exploited AI-compute exposure that no patch addresses.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Anyscale Ray's Job Submission / Dashboard API runs attacker-supplied code without authentication; internet-exposed clusters are mass-exploited (ShadowRay 2.0) for crypto mining and AI-artifact / credential theft. Vendor-disputed, no code patch — mitigate with token auth (2.52.0+) and network isolation."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -1706,6 +1706,7 @@
       "webapp-security"
     ],
     "evidence_cves": [
+      "CVE-2023-48022",
       "CVE-2023-52163",
       "CVE-2024-57726",
       "CVE-2025-20362",
@@ -1819,6 +1820,7 @@
       "CVE-2021-22054",
       "CVE-2021-22175",
       "CVE-2021-39935",
+      "CVE-2023-48022",
       "CVE-2025-61884"
     ],
     "framework_controls_partially_addressing": [

package/data/framework-control-gaps.json

@@ -34,6 +34,7 @@
     "status": "open",
     "opened_date": "2026-01-01",
     "evidence_cves": [
+      "CVE-2023-48022",
       "CVE-2024-50050",
       "CVE-2025-23254",
       "CVE-2025-30165",
@@ -1748,6 +1749,7 @@
     "status": "open",
     "opened_date": "2026-03-15",
     "evidence_cves": [
+      "CVE-2023-48022",
       "CVE-2024-50050",
       "CVE-2025-10585",
       "CVE-2025-1094",
@@ -2103,6 +2105,7 @@
     "status": "open",
     "opened_date": "2026-05-01",
     "evidence_cves": [
+      "CVE-2023-48022",
       "CVE-2024-40635",
       "CVE-2025-53767",
       "CVE-2026-42897"
@@ -3575,6 +3578,7 @@
     "status": "open",
     "opened_date": "2026-05-13",
     "evidence_cves": [
+      "CVE-2023-48022",
       "CVE-2026-24206",
       "CVE-2026-24207"
     ],
@@ -4784,6 +4788,7 @@
     "status": "open",
     "opened_date": "2026-05-15",
     "evidence_cves": [
+      "CVE-2023-48022",
       "CVE-2024-21762",
       "CVE-2024-50050",
       "CVE-2025-23254",
@@ -5352,6 +5357,7 @@
     "status": "open",
     "opened_date": "2026-05-17",
     "evidence_cves": [
+      "CVE-2023-48022",
       "CVE-2024-21762",
       "CVE-2024-50050",
       "CVE-2025-23254",
@@ -5579,6 +5585,7 @@
     "opened_date": "2026-05-18",
     "evidence_cves": [
       "CVE-2020-10148",
+      "CVE-2023-48022",
       "CVE-2025-55241",
       "CVE-2026-24206",
       "CVE-2026-24207"
@@ -5646,6 +5653,7 @@
     "opened_date": "2026-05-18",
     "evidence_cves": [
       "CVE-2020-10148",
+      "CVE-2023-48022",
       "CVE-2024-1709",
       "CVE-2026-20182",
       "CVE-2026-24206",

package/data/zeroday-lessons.json

@@ -6833,6 +6833,56 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2023-48022": {
+    "name": "Anyscale Ray Job Submission API Unauthenticated RCE (ShadowRay)",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "Ray's Job Submission / Dashboard API runs attacker-supplied Python without authentication (missing authorization). Internet-exposed clusters are exploited at scale (ShadowRay 2.0) for crypto mining and theft of model weights and cloud credentials.",
+      "privileges_required": "none (NVD AV:N / PR:N) — unauthenticated against an exposed dashboard",
+      "complexity": "low (NVD AC:L)",
+      "ai_factor": "The exposed compute is AI/ML infrastructure: a single unauthenticated Job API yields the model weights, training data, and cloud credentials on the cluster. The lesson is that 'deploy only on a controlled network' is not a security control — it is an assumption that fails at scale (≈230k exposed Ray environments), so the AI compute control plane must authenticate every caller."
+    },
+    "framework_coverage": {
+      "NIST-800-53-IA-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Authentication is treated as out-of-scope for the Ray Job API on the assumption of a controlled network; the API is internet-exposed and unauthenticated in practice."
+      },
+      "NIST-800-53-SC-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Boundary protection assumes the AI compute cluster is isolated; hundreds of thousands of dashboards are internet-exposed."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework rejects the 'controlled network is the control' assumption for AI compute; the exposed Job API is RCE plus AI-artifact and credential theft."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 75,
+      "basis": "Organizations accept the vendor's 'controlled network' framing and never test whether the Ray dashboard is internet-reachable or authenticated; the disputed status keeps it out of patch-driven programs.",
+      "theater_pattern": "controlled_network_assumption"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-088",
+        "name": "AI-COMPUTE-CONTROL-PLANE-AUTHENTICATION",
+        "description": "An AI compute framework's job/control API must authenticate every caller; 'deploy only on a trusted network' is an assumption, not a control, and must not substitute for authentication. Enable Ray token authentication (2.52.0+), never expose the dashboard / Job Submission API to untrusted networks, front it with an authenticating proxy, and treat any internet-exposed cluster as compromised (rotate model artifacts and cloud credentials). The distinguishing test: from the public internet, attempt to reach the Ray dashboard (default 8265) and submit a job unauthenticated on a staging cluster; it must be refused.",
+        "evidence": "https://atlas.mitre.org/studies/AML.CS0023",
+        "gap_closes": [
+          "NIST-800-53-IA-2",
+          "NIST-800-53-SC-7",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2025-34291": {
     "name": "Langflow Account Takeover + RCE (CORS / refresh-token chain)",
     "lesson_date": "2026-05-24",