CVE-2024-21877

Name of the Vulnerable Software and Affected Versions Enphase IQ Gateway (formerly known as Envoy) versions 4.x through 8.0 and less than 8.2.4225

Description The issue is related to an Improper Limitation of a Pathname to a Restricted Directory, also known as a Path Traversal vulnerability. This vulnerability allows file manipulation through a URL parameter in the Enphase IQ Gateway. The endpoint requires authentication, meaning an attacker would need to have valid credentials to exploit this issue.

Recommendations For versions 4.x through 8.0 and less than 8.2.4225, update to version 8.2.4225 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable URL parameter until a patch is available. Avoid using the vulnerable URL parameter in the affected endpoint until the issue is resolved.