CVE-2024-21880

URL parameter manipulations allows an authenticated attacker to execute arbitrary OS commands in Enphase IQ Gateway version 4.x <= 7.x

CVE CVE-2024-21880
Title URL parameter manipulations allows an authenticated attacker to execute arbitrary OS commands in Enphase IQ Gateway version 4.x <= 7.x
Case DIVD-2024-00011
Credits
Affected products
Product Affected Unaffected Unknown
Enphase Envoy = 7.x (semver)
= 6.x (semver)
= 5.x (semver)
= 4.x (semver)
everything else
CVSS
Base score 8.6 - HIGH
Attack Vector NETWORK
Attack Complexity> LOW
Attack Requirements NONE
Privileges Required HIGH
Confidentiality Impact
Vulnerable system HIGH Subsequent systems LOW
Integrity Impact
Vulnerable system HIGH Subsequent systems LOW
Availability Impact
Vulnerable system HIGH Subsequent systems LOW
Safety impact PRESENT
Automatable YES
Recovery IRRECOVERABLE
Value Density CONCENTRATED
Vulnerability Response effort HIGH
Provider Urgency NOT_DEFINED
References
Problem type(s) CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Impact(s) CAPEC-88 OS Command Injection
Date published 10 Aug 2024 17:00 UTC
Last modified

Description

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability via the url parameter of an authenticated enpoint in Enphase IQ Gateway (formerly known as Enphase) allows OS Command Injection.

This issue affects Envoy: 4.x <= 7.x

Workaround(s)

It is adviced to not expose this device to untrusted network acces. In other words, make sure this decvice is not reachable from the internet, a guest network or a public network.

Solution(s)

Devices are remotely being updated by the vendor.

JSON version.