CVE-2025-1979

CVSS v3 6.4 MEDIUM

6.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.1 / Impact : 4.7

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

V

ersions of the package ray before 2.43.0 are vulnerable to Insertion of Sensitive Information into Log File where the redis password is being logged in the standard logging. If the redis password is passed as an argument, it will be logged and could potentially leak the password. This is only exploitable if: 1) Logging is enabled; 2) Redis is using password authentication; 3) Those logs are accessible to an attacker, who can reach that redis instance. **Note:** It is recommended that anyone who is running in this configuration should update to the latest version of Ray, then rotate their redis password.

References

Link	Resource
https://github.com/ray-project/ray/commit/64a2e4010522d60b90c389634f24df77b603d85d
https://github.com/ray-project/ray/issues/50266
https://github.com/ray-project/ray/pull/50409
https://security.snyk.io/vuln/SNYK-PYTHON-RAY-8745212

Configurations

No configuration.

History

06 Mar 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-06 05:15

Updated : 2025-03-06 16:15

NVD link : CVE-2025-1979

Mitre link : CVE-2025-1979

CVE.ORG link : CVE-2025-1979

JSON object : View

Products Affected

No product.

CWE

CWE-532

Insertion of Sensitive Information into Log File

{"id": "CVE-2025-1979", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 1.1}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.7, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-03-06T05:15:16.213", "references": [{"url": "https://github.com/ray-project/ray/commit/64a2e4010522d60b90c389634f24df77b603d85d", "source": "[email protected]"}, {"url": "https://github.com/ray-project/ray/issues/50266", "source": "[email protected]"}, {"url": "https://github.com/ray-project/ray/pull/50409", "source": "[email protected]"}, {"url": "https://security.snyk.io/vuln/SNYK-PYTHON-RAY-8745212", "source": "[email protected]"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-532"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-532"}]}], "descriptions": [{"lang": "en", "value": "Versions of the package ray before 2.43.0 are vulnerable to Insertion of Sensitive Information into Log File where the redis password is being logged in the standard logging. If the redis password is passed as an argument, it will be logged and could potentially leak the password.\r\rThis is only exploitable if:\r\r1) Logging is enabled;\r\r2) Redis is using password authentication;\r\r3) Those logs are accessible to an attacker, who can reach that redis instance.\r\r**Note:**\r\rIt is recommended that anyone who is running in this configuration should update to the latest version of Ray, then rotate their redis password."}, {"lang": "es", "value": "Las versiones del paquete ray anteriores a la 2.43.0 son vulnerables a la inserci\u00f3n de informaci\u00f3n confidencial en el archivo de registro donde se registra la contrase\u00f1a de Redis en el registro est\u00e1ndar. Si la contrase\u00f1a de Redis se pasa como argumento, se registrar\u00e1 y podr\u00eda filtrarse la contrase\u00f1a. Esto solo se puede explotar si: 1) el registro est\u00e1 habilitado; 2) Redis est\u00e1 utilizando la autenticaci\u00f3n de contrase\u00f1a; 3) esos registros son accesibles para un atacante, que puede llegar a esa instancia de Redis. **Nota:** Se recomienda que cualquier persona que est\u00e9 ejecutando esta configuraci\u00f3n actualice a la \u00faltima versi\u00f3n de Ray y luego rote su contrase\u00f1a de Redis."}], "lastModified": "2025-03-06T16:15:54.187", "sourceIdentifier": "[email protected]"}