Bug 2350231 (CVE-2025-1979)

Summary:	CVE-2025-1979 ray: Insertion of Sensitive Information into Log File
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability	Assignee:	Product Security DevOps Team <prodsec-dev>
Status:	NEW ---	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	jeder
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	---
Doc Text:	A flaw was found in the ray package. Versions of the package ray before 2.43.0 are vulnerable to the insertion of sensitive information into the log file where the Redis password is being logged in the standard logging. If the Redis password is passed as an argument, it will be logged, and the password could be leaked. This is only exploitable if logging is enabled, Redis is using password authentication, and the logs are accessible to an attacker who can access that Redis instance.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-03-06 06:01:10 UTC

Versions of the package ray before 2.43.0 are vulnerable to Insertion of Sensitive Information into Log File where the redis password is being logged in the standard logging. If the redis password is passed as an argument, it will be logged and could potentially leak the password.

This is only exploitable if:

1) Logging is enabled;

2) Redis is using password authentication;

3) Those logs are accessible to an attacker, who can reach that redis instance.

**Note:**

It is recommended that anyone who is running in this configuration should update to the latest version of Ray, then rotate their redis password.