CVE-2024-21878

Aug. 12, 2024, 1:41 p.m.

Tags

CWE-77
2024-08-12
csirt@divd.nl
CVE-2024-21878

Product(s) Impacted

Enphase IQ Gateway (Envoy)

  • 4.x - 8.x

Description

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Enphase IQ Gateway (formerly known as Envoy) allows OS Command Injection. This vulnerability is present in an internal script.This issue affects Envoy: from 4.x up to and including 8.x and is currently unpatched.

Weaknesses

CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

CWE ID: 77

Date

Published: Aug. 12, 2024, 1:38 p.m.

Last Modified: Aug. 12, 2024, 1:41 p.m.

Status : Awaiting Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

csirt@divd.nl

References

https://csirt.divd.nl/CVE-2024-21878
csirt@divd.nl
https://csirt.divd.nl/DIVD-2024-00011
csirt@divd.nl
https://enphase.com/cybersecurity/advisories/ensa-2024-3
csirt@divd.nl