9.3

CVE-2017-6224

Ruckus Wireless Zone Director Controller firmware releases ZD9.x, ZD10.0.0.x, ZD10.0.1.x (less than 10.0.1.0.17 MR1 release) and Ruckus Wireless Unleashed AP Firmware releases 200.0.x, 200.1.x, 200.2.x, 200.3.x, 200.4.x. contain OS Command Injection vulnerabilities that could allow local authenticated users to execute arbitrary privileged commands on the underlying operating system by appending those commands in the Common Name field in the Certificate Generation Request.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RuckuswirelessZonedirector Firmware Versionzd9.9.0.0.205
   RuckuswirelessZonedirector Version-
RuckuswirelessZonedirector Firmware Versionzd9.9.0.0.212
   RuckuswirelessZonedirector Version-
RuckuswirelessZonedirector Firmware Versionzd9.9.0.0.216
   RuckuswirelessZonedirector Version-
RuckuswirelessZonedirector Firmware Versionzd9.10.0.0.218
   RuckuswirelessZonedirector Version-
RuckuswirelessZonedirector Firmware Versionzd9.13.0.0.103
   RuckuswirelessZonedirector Version-
RuckuswirelessZonedirector Firmware Versionzd9.13.0.0.209
   RuckuswirelessZonedirector Version-
RuckuswirelessUnleashed Firmware Version200.1
   RuckuswirelessUnleashed Version-
RuckuswirelessUnleashed Firmware Version200.1.9.12.55
   RuckuswirelessUnleashed Version-
RuckuswirelessUnleashed Firmware Version200.3
   RuckuswirelessUnleashed Version-
RuckuswirelessUnleashed Firmware Version200.3.9.13.228
   RuckuswirelessUnleashed Version-
RuckuswirelessUnleashed Firmware Version200.4.9.13
   RuckuswirelessUnleashed Version-
RuckuswirelessUnleashed Firmware Version200.4.9.13.47
   RuckuswirelessUnleashed Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.75% 0.718
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov 9.3 8.6 10
AV:N/AC:M/Au:N/C:C/I:C/A:C
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.