High Threat

CWE-23: Relative Path Traversal, Authenticated Arbitrary File Read:

Ruckus vSZ allows for users to download files from an allowed directory, but by hardcoding a directory path, a user could traverse other directory paths with ../ to read sensitive files.

No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.