CVE-2024-21879
URL parameter manipulations allows an authenticated attacker to execute arbitrary OS commands in Enphase IQ Gateway v4.x to v8.x and < v8.2.4225
Severity Score
8.7
*CVSS v4
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track*
*SSVC
Descriptions
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability through an url parameter of an authenticated enpoint in Enphase IQ Gateway (formerly known as Envoy) allows OS Command Injection.This issue affects Envoy: from 4.x to 8.x and < 8.2.4225.
*Credits:
Wietse Boonstra of DIVD, Hidde Smit of DIVD, Frank Breedijk of DIVD, Max van der Horst of DIVD
CVSS Scores
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
System
Vulnerable | Subsequent
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
System
Vulnerable | Subsequent
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track*
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-01-02 CVE Reserved
- 2024-08-10 CVE Published
- 2024-08-13 CVE Updated
- 2024-08-24 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CAPEC
- CAPEC-88: OS Command Injection
References (3)
URL | Tag | Source |
---|---|---|
https://csirt.divd.nl/CVE-2024-21879 | Third Party Advisory | |
https://csirt.divd.nl/DIVD-2024-00011 | Related |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://enphase.com/cybersecurity/advisories/ensa-2024-4 | 2024-08-12 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Enphase Search vendor "Enphase" | Envoy Search vendor "Enphase" for product "Envoy" | >= 8.0.0 < 8.2.4225 Search vendor "Enphase" for product "Envoy" and version " >= 8.0.0 < 8.2.4225" | en |
Affected
|