CVE-2024-21879

Aug. 12, 2024, 1:41 p.m.

Tags

CWE-77
2024-08-12
csirt@divd.nl
CVE-2024-21879

Product(s) Impacted

Enphase IQ Gateway

  • 4.x
  • 5.x
  • 6.x
  • 7.x
  • 8.0.x - 8.2.4225

Description

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability through an url parameter of an authenticated enpoint in Enphase IQ Gateway (formerly known as Envoy) allows OS Command Injection.This issue affects Envoy: from 4.x to 8.x and < 8.2.4225.

Weaknesses

CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

CWE ID: 77

Date

Published: Aug. 12, 2024, 1:38 p.m.

Last Modified: Aug. 12, 2024, 1:41 p.m.

Status : Awaiting Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

csirt@divd.nl

References

https://csirt.divd.nl/CVE-2024-21879
csirt@divd.nl
https://csirt.divd.nl/DIVD-2024-00011
csirt@divd.nl
https://enphase.com/cybersecurity/advisories/ensa-2024-4
csirt@divd.nl