CVE-2020-26878

Sažetak

Ruckus through 1.5.1.0.21 is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be executed as root user via web.py.

Reference

https://adepts.of0x.cc/ruckus-vriot-rce/
https://twitter.com/TheXC3LL
https://support.ruckuswireless.com/security_bulletins/305
https://support.ruckuswireless.com/documents
https://adepts.of0x.cc
https://x-c3ll.github.io

CVSS

Base:	9.0
Impact:	10.0
Exploitability:	8.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	SINGLE

Impact

Povjerljivost	Cjelovitost	Dostupnost
COMPLETE	COMPLETE	COMPLETE

CVSS vektor

AV:N/AC:L/Au:S/C:C/I:C/A:C

Zadnje važnije ažuriranje

21-07-2021 - 11:39

Objavljeno

26-10-2020 - 20:15