CVE-2024-21876

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability via a URL parameter in Enphase IQ Gateway (formerly known as Envoy) allows an unautheticated attacker to access or create arbitratry files.This issue affects Envoy: from 4.x to 8.x and < 8.2.4225.
References
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:enphase:iq_gateway_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:enphase:iq_gateway:-:*:*:*:*:*:*:*

History

23 Aug 2024, 18:05

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.1
CPE cpe:2.3:h:enphase:iq_gateway:-:*:*:*:*:*:*:*
cpe:2.3:o:enphase:iq_gateway_firmware:*:*:*:*:*:*:*:*
References () https://csirt.divd.nl/CVE-2024-21876 - () https://csirt.divd.nl/CVE-2024-21876 - Third Party Advisory
References () https://csirt.divd.nl/DIVD-2024-00011 - () https://csirt.divd.nl/DIVD-2024-00011 - Third Party Advisory
References () https://enphase.com/cybersecurity/advisories/ensa-2024-1 - () https://enphase.com/cybersecurity/advisories/ensa-2024-1 - Vendor Advisory
First Time Enphase
Enphase iq Gateway
Enphase iq Gateway Firmware
Summary
  • (es) Limitación inadecuada de una vulnerabilidad de nombre de ruta a un directorio restringido ("Path Traversal") a través de un parámetro de URL en Enphase IQ Gateway (anteriormente conocido como Envoy) permite a un atacante no autenticado acceder o crear archivos arbitrarios. Este problema afecta a Envoy: desde 4.x a 8.x y &lt; 8.2.4225.

12 Aug 2024, 13:41

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-12 13:38

Updated : 2024-08-23 18:05


NVD link : CVE-2024-21876

Mitre link : CVE-2024-21876

CVE.ORG link : CVE-2024-21876


JSON object : View

Products Affected

enphase

  • iq_gateway_firmware
  • iq_gateway
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')