CVE-2024-21878
Command Injection through Unsafe File Name Evaluation in internal script in Enphase IQ Gateway v4.x to and including 8.x
Severity Score
9.2
*CVSS v4
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Attend
*SSVC
Descriptions
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Enphase IQ Gateway (formerly known as Envoy) allows OS Command Injection. This vulnerability is present in an internal script.This issue affects Envoy: from 4.x up to and including 8.x and is currently unpatched.
*Credits:
Wietse Boonstra of DIVD, Hidde Smit of DIVD, Frank Breedijk of DIVD, Max van der Horst of DIVD
CVSS Scores
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
System
Vulnerable | Subsequent
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
System
Vulnerable | Subsequent
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
System
Vulnerable | Subsequent
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Attend
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-01-02 CVE Reserved
- 2024-08-10 CVE Published
- 2024-08-12 CVE Updated
- 2024-08-24 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CAPEC
- CAPEC-88: OS Command Injection
References (3)
| URL | Tag | Source |
|---|---|---|
| https://csirt.divd.nl/CVE-2024-21878 | Third Party Advisory | |
| https://csirt.divd.nl/DIVD-2024-00011 | Related |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://enphase.com/cybersecurity/advisories/ensa-2024-3 | 2024-08-12 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Enphase Search vendor "Enphase" | Envoy Search vendor "Enphase" for product "Envoy" | >= 8.0.0 < 8.2.4225 Search vendor "Enphase" for product "Envoy" and version " >= 8.0.0 < 8.2.4225" | en |
Affected
| ||||||