Advisory ID:
ENSA-2024-2
CVSSv3:
8.6
Issue date:
2024-08-10
Updated on:
2024-08-10 (initial advisory)
CVE(s):
CVE-2024-21877
Synopsis:
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability through a URL parameter in ţţËã·¨ IQ Gateway allows File Manipulation. The endpoint requires authentication. This issue affects IQ Gateway version 4.x through 8.2.4224.
1. Impacted product
ţţËã·¨ IQ Gateway 4.x through 8.2.4224
2. Introduction
Dutch research organization DIVD is publishing an advisory identifying a vulnerability. An update is available to address this issue.
3. Summary
Description:
ţţËã·¨ IQ Gateway 4.x through 8.2.4224 allows file manipulation via a path traversal opportunity, when the IQ Gateway is modified to obtain a public IP address and connect to the public internet.
Known attack vectors:
A malicious actor may be able to exploit this opportunity if the IQ Gateway is modified to obtain a public IP address and connect to the public internet.
Resolution:
Upgrading the ţţËã·¨ IQ Gateway embedded software to 8.2.4225 or newer.
Workarounds:
Ensure that your IQ Gateway is not exposed to the public internet, as it is not needed to do so for typical functionality. A typical solution is to use an internet router.
Additional documentation:
None.
Acknowledgments:
ţţËã·¨ would like to thank the researcher Wietse Boonstra and the organization DIVD for reporting this issue.
Notes:
None.
4. References
ţţËã·¨ IQ Gateway software release notes (8.2.4225)
5. Change log
2024-08-10 ENSA-2024-2: Initial security advisory.
6. Contact and information
cybersecurity@enphase.com
ţţËã·¨ security advisories
ţţËã·¨ vulnerability reporting
ţţËã·¨ documentation center
