Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability via a URL parameter in Enphase IQ Gateway (formerly known as Envoy) allows an unautheticated attacker to access or create arbitratry files.This issue affects Envoy: from 4.x to 8.x and < 8.2.4225.
Fixes

Solution

Devices are remotely being updated by the vendor.


Workaround

It is adviced to not expose this device to untrusted network acces. In other words, make sure this decvice is not reachable from the internet, a guest network or a public network.

History

Fri, 23 Aug 2024 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Enphase iq Gateway
Enphase iq Gateway Firmware
CPEs cpe:2.3:h:enphase:iq_gateway:-:*:*:*:*:*:*:*
cpe:2.3:o:enphase:iq_gateway_firmware:*:*:*:*:*:*:*:*
Vendors & Products Enphase iq Gateway
Enphase iq Gateway Firmware
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}


Mon, 12 Aug 2024 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Enphase
Enphase envoy
CPEs cpe:2.3:h:enphase:envoy:*:*:*:*:*:*:*:*
Vendors & Products Enphase
Enphase envoy
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Sat, 10 Aug 2024 18:00:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability via a URL parameter in Enphase IQ Gateway (formerly known as Envoy) allows an unautheticated attacker to access or create arbitratry files.This issue affects Envoy: from 4.x to 8.x and < 8.2.4225.
Title Unauthenticated Path Traversal via URL Parameter in Enphase IQ Gateway version < 8.2.4225
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/S:P/AU:Y/R:I/V:C/RE:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: DIVD

Published:

Updated: 2025-03-11T13:38:30.594Z

Reserved: 2024-01-02T18:30:11.174Z

Link: CVE-2024-21876

cve-icon Vulnrichment

Updated: 2024-08-12T15:38:53.056Z

cve-icon NVD

Status : Analyzed

Published: 2024-08-12T13:38:14.743

Modified: 2024-08-23T18:05:55.543

Link: CVE-2024-21876

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.