Path Traversal Vulnerability in Enphase IQ Gateway (formerly known as Envoy) Allows File Manipulation
CVE-2024-21877

9.2CRITICAL

Key Information:

Vendor: Enphase
Status: Envoy
Vendor: CVE Published:; 12 August 2024

What is CVE-2024-21877?

A path traversal vulnerability has been identified in the Enphase IQ Gateway (formerly known as Envoy), allowing unauthorized file manipulation through a crafted URL parameter. This issue requires authentication but can be exploited to access or manipulate files outside of the intended directory. The vulnerability affects versions from 4.x to 8.0 and those below 8.2.4225, posing serious risks to the integrity of file systems. It is crucial for users to update to the latest version and review security measures to protect against potential exploitation.

Affected Version(s)

Envoy 8.0 < 8.2.4225

Envoy 7.x

Envoy 6.x

References

https://csirt.divd.nl/CVE-2024-21877

third-party-advisory

https://csirt.divd.nl/DIVD-2024-00011

https://enphase.com/cybersecurity/advisories/ensa-2024-2

vendor-advisory

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 12, 2024
Vulnerability Reserved
Jan 2, 2024

Credit

Wietse Boonstra of DIVD

Hidde Smit of DIVD

Frank Breedijk of DIVD

Max van der Horst of DIVD

CVE-2024-21877 Data

JSON