Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability through a url parameter in Enphase IQ Gateway (formerly known as Envoy) allows File Manipulation. The endpoint requires authentication.This issue affects Envoy: from 4.x to 8.0 and < 8.2.4225.
Fixes

Solution

Devices are remotely being updated by the vendor.


Workaround

It is adviced to not expose this device to untrusted network acces. In other words, make sure this decvice is not reachable from the internet, a guest network or a public network.

History

Fri, 23 Aug 2024 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Enphase iq Gateway
Enphase iq Gateway Firmware
CPEs cpe:2.3:h:enphase:iq_gateway:-:*:*:*:*:*:*:*
cpe:2.3:o:enphase:iq_gateway_firmware:*:*:*:*:*:*:*:*
Vendors & Products Enphase iq Gateway
Enphase iq Gateway Firmware
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}


Mon, 12 Aug 2024 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Enphase
Enphase envoy
CPEs cpe:2.3:h:enphase:envoy:-:*:*:*:*:*:*:*
Vendors & Products Enphase
Enphase envoy
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Sat, 10 Aug 2024 18:00:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability through a url parameter in Enphase IQ Gateway (formerly known as Envoy) allows File Manipulation. The endpoint requires authentication.This issue affects Envoy: from 4.x to 8.0 and < 8.2.4225.
Title Insecure File Generation Based on User Input in Enphase IQ Gateway version 4.x to 8.x and < 8.2.4225
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/S:P/AU:Y/R:I/V:C/RE:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: DIVD

Published:

Updated: 2025-03-11T13:38:26.399Z

Reserved: 2024-01-02T18:30:11.174Z

Link: CVE-2024-21877

cve-icon Vulnrichment

Updated: 2024-08-12T12:52:47.607Z

cve-icon NVD

Status : Analyzed

Published: 2024-08-12T13:38:14.980

Modified: 2024-08-23T18:06:45.520

Link: CVE-2024-21877

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.