CVE-2024-21879

Name of the Vulnerable Software and Affected Versions Enphase IQ Gateway (formerly known as Envoy) versions 4.x through 8.x and versions prior to 8.2.4225

Description The issue is related to an Improper Neutralization of Special Elements used in a Command, also known as 'Command Injection' vulnerability. This vulnerability can be exploited through an URL parameter of an authenticated endpoint, allowing OS Command Injection.

Recommendations For Enphase IQ Gateway versions 4.x through 8.x and versions prior to 8.2.4225, update to version 8.2.4225 or later to resolve the issue. As a temporary workaround, consider restricting access to the authenticated endpoint until a patch is available. Avoid using the vulnerable URL parameter in the affected endpoint until the issue is resolved.