CVE-2024-21878

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Enphase IQ Gateway (formerly known as Envoy) allows OS Command Injection. This vulnerability is present in an internal script.This issue affects Envoy: from 4.x up to and including 8.x and is currently unpatched.
References
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:enphase:iq_gateway_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:enphase:iq_gateway:-:*:*:*:*:*:*:*

History

23 Aug 2024, 17:52

Type Values Removed Values Added
First Time Enphase
Enphase iq Gateway
Enphase iq Gateway Firmware
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.8
Summary
  • (es) La neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando ("Inyección de comando") en Enphase IQ Gateway (anteriormente conocido como Envoy) permite la inyección de comando del sistema operativo. Esta vulnerabilidad está presente en un script interno. Este problema afecta a Envoy: desde 4.x hasta 8.x inclusive y actualmente no está parcheado.
References () https://csirt.divd.nl/CVE-2024-21878 - () https://csirt.divd.nl/CVE-2024-21878 - Third Party Advisory
References () https://csirt.divd.nl/DIVD-2024-00011 - () https://csirt.divd.nl/DIVD-2024-00011 - Third Party Advisory
References () https://enphase.com/cybersecurity/advisories/ensa-2024-3 - () https://enphase.com/cybersecurity/advisories/ensa-2024-3 - Vendor Advisory
CPE cpe:2.3:h:enphase:iq_gateway:-:*:*:*:*:*:*:*
cpe:2.3:o:enphase:iq_gateway_firmware:*:*:*:*:*:*:*:*
CWE CWE-78

12 Aug 2024, 13:41

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-12 13:38

Updated : 2024-08-23 17:52


NVD link : CVE-2024-21878

Mitre link : CVE-2024-21878

CVE.ORG link : CVE-2024-21878


JSON object : View

Products Affected

enphase

  • iq_gateway_firmware
  • iq_gateway
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')