PT-2021-20087 · Commscope · Commscope Ruckus Iot Controller

Jim Becher

Published

2021-07-07

Updated

2021-07-09

CVE-2021-33217

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions CommScope Ruckus IoT Controller versions 1.7.1.0 and earlier

Description An issue in the Web Application of the CommScope Ruckus IoT Controller allows authenticated users to perform arbitrary read/write actions. The API endpoint allows an HTTP POST request to write arbitrary content into any file on the filesystem with root privileges.

Recommendations For CommScope Ruckus IoT Controller versions 1.7.1.0 and earlier, consider restricting access to the API endpoint that allows arbitrary file writes until a patch is available. As a temporary workaround, limit the privileges of authenticated users to prevent them from performing arbitrary read/write actions on the filesystem.

Fix

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-787

Related Identifiers

CVE-2021-33217

Affected Products

Commscope Ruckus Iot Controller

PT-2021-20087 · Commscope · Commscope Ruckus Iot Controller

CVE-2021-33217

Weakness Enumeration

Related Identifiers

Affected Products

References · 4