Ruckus SmartZone and Network Director Directory Traversal Vulnerability Allowing Arbitrary File Read

A directory traversal vulnerability has been identified in Ruckus SmartZone (SZ) versions prior to 6.1.2p3 Refresh Build. This vulnerability allows authenticated users to traverse directories and read sensitive files by exploiting the file download functionality, which is restricted to certain directories. The issue arises from hardcoded directory paths that can be manipulated to access files outside the intended directory.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files, potentially including hardcoded secrets that could be used to gain elevated privileges or bypass authentication.

Remediation

Ruckus has released patches for this vulnerability. Users are advised to upgrade to SmartZone versions 6.1.2.p3 Refresh Build, 7.1, 5.2.2, or 5.2.1.3. For Network Director, users should upgrade to version 3.0, 4.0, or 4.5.