Path Traversal Vulnerability Affects Enphase IQ Gateway, Multiple Versions Impacted
CVE-2024-21876

9.2CRITICAL

Key Information:

Vendor: Enphase
Status: Iq Gateway
Vendor: CVE Published:; 12 August 2024

What is CVE-2024-21876?

The vulnerability identified allows an unprivileged attacker to exploit improper restrictions on pathnames in URLs, leading to potential unauthorized access or manipulation of files within the Enphase IQ Gateway system. This flaw could allow malicious actors to create or access arbitrary files, posing significant risks to the integrity and confidentiality of sensitive data managed by the device. Affected versions encompass the range from 4.x to 8.x, excluding version 8.2.4225 and later. Organizations utilizing the Enphase IQ Gateway should take immediate action to mitigate this security concern through timely updates and enhancements to their system configurations.

Affected Version(s)

IQ Gateway 8.0 < 8.2.4225

IQ Gateway 7.x

IQ Gateway 6.x

References

https://csirt.divd.nl/CVE-2024-21876

third-party-advisory

https://csirt.divd.nl/DIVD-2024-00011

https://enphase.com/cybersecurity/advisories/ensa-2024-1

vendor-advisory

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 12, 2024
Vulnerability Reserved
Jan 2, 2024

Credit

Wietse Boonstra of DIVD

Hidde Smit of DIVD

Frank Breedijk of DIVD

Max van der Horst of DIVD

CVE-2024-21876 Data

JSON