PT-2020-10258 · Ruckus Wireless · Ruckus Wireless Unleashed

Published

2020-01-22

Updated

2021-07-21

CVE-2019-19843

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Ruckus Wireless Unleashed versions through 200.7.10.102.64

Description The issue is related to incorrect access control in the web interface, allowing remote credential fetch via an unauthenticated HTTP request. This request involves a symlink with /tmp and web/user/wps tool cache.

Recommendations For versions through 200.7.10.102.64, consider restricting access to the web interface to prevent unauthenticated HTTP requests until a fix is available. As a temporary workaround, consider disabling the web interface or limiting its accessibility to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Files Accessible to External Parties

Insufficiently Protected Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-552CWE-522

Related Identifiers

CVE-2019-19843

Affected Products

Ruckus Wireless Unleashed

PT-2020-10258 · Ruckus Wireless · Ruckus Wireless Unleashed

CVE-2019-19843

Weakness Enumeration

Related Identifiers

Affected Products

References · 6