CVE-2025-1979
March 06, 2025
Versions of the package ray before 2.43.0 are vulnerable to Insertion of Sensitive Information into Log File where the redis password is being logged in the standard logging. If the redis password is passed as an argument, it will be logged and could potentially leak the password.
This is only exploitable if:
1) Logging is enabled;
2) Redis is using password authentication;
3) Those logs are accessible to an attacker, who can reach that redis instance.
Note:
It is recommended that anyone who is running in this configuration should update to the latest version of Ray, then rotate their redis password.
Affected Packages
ray (PYTHON):
Affected version(s) >=0.0.1 <2.43.0Fix Suggestion:
Update to version 2.43.0Additional Notes
The description of this vulnerability differs from MITRE.
Related ResourcesĀ (6)
Do you need more information?
Contact UsCVSS v4
Base Score:
5.7
Attack Vector
LOCAL
Attack Complexity
LOW
Attack Requirements
PRESENT
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.5
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
Insertion of Sensitive Information into Log File
EPSS
Base Score:
0.03
