DIVDVULNRICHMENT:CVE-2024-21878CVE-2024-21878 Command Injection through Unsafe File Name Evaluation in internal script in Enphase IQ Gateway v4.x to and including 8.x
CVSS4
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/SC:L/VI:H/SI:L/VA:H/SA:L/S:P/AU:Y/R:I/V:C/RE:H
AI Score
Confidence
High
EPSS
Percentile
28.7%
SSVC
Exploitation
none
Automatable
yes
Technical Impact
total
Improper Neutralization of Special Elements used in a Command (‘Command Injection’) vulnerability in Enphase IQ Gateway (formerly known as Envoy) allows OS Command Injection. This vulnerability is present in an internal script.This issue affects Envoy: from 4.x up to and including 8.x and is currently unpatched.
CNA Affected
[
{
"vendor": "Enphase",
"product": "Envoy",
"versions": [
{
"status": "affected",
"version": "8.x",
"lessThan": "8.2.4225",
"versionType": "semver"
},
{
"status": "affected",
"version": "7.x",
"versionType": "semver"
},
{
"status": "affected",
"version": "6.x",
"versionType": "semver"
},
{
"status": "affected",
"version": "5.x",
"versionType": "semver"
},
{
"status": "affected",
"version": "4.x",
"versionType": "semver"
}
],
"defaultStatus": "affected"
}
]ADP Affected
[
{
"cpes": [
"cpe:2.3:h:enphase:envoy:*:*:*:*:*:*:*:*"
],
"vendor": "enphase",
"product": "envoy",
"versions": [
{
"status": "affected",
"version": "4.0",
"lessThan": "8.2.4225",
"versionType": "semver"
}
],
"defaultStatus": "unknown"
}
]
CVSS4
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/SC:L/VI:H/SI:L/VA:H/SA:L/S:P/AU:Y/R:I/V:C/RE:H
AI Score
Confidence
High
EPSS
Percentile
28.7%
SSVC
Exploitation
none
Automatable
yes
Technical Impact
total