ENSA-2024-2

Cybersecurity

ENSA-2024-2: Insecure Cache File Generation Based on User Input (IQ Gateway 4.x through 8.2.4224)

Advisory ID:
ENSA-2024-2

CVSSv3:
8.6

Issue date:
2024-08-10

Updated on:
2024-08-10 (initial advisory)

CVE(s):
CVE-2024-21877

Synopsis:
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability through a URL parameter in 牛牛玩法賠率 IQ Gateway allows File Manipulation. The endpoint requires authentication. This issue affects IQ Gateway version 4.x through 8.2.4224.

1. Impacted product

牛牛玩法賠率 IQ Gateway 4.x through 8.2.4224

2. Introduction

Dutch research organization DIVD is publishing an advisory identifying a vulnerability. An update is available to address this issue.

3. Summary

Description:
牛牛玩法賠率 IQ Gateway 4.x through 8.2.4224 allows file manipulation via a path traversal opportunity, when the IQ Gateway is modified to obtain a public IP address and connect to the public internet.

Known attack vectors:
A malicious actor may be able to exploit this opportunity if the IQ Gateway is modified to obtain a public IP address and connect to the public internet.

Resolution:
Upgrading the 牛牛玩法賠率 IQ Gateway embedded software to 8.2.4225 or newer.

Workarounds:
Ensure that your IQ Gateway is not exposed to the public internet, as it is not needed to do so for typical functionality. A typical solution is to use an internet router.

Additional documentation:
None.

Acknowledgments:
牛牛玩法賠率 would like to thank the researcher Wietse Boonstra and the organization DIVD for reporting this issue.

Notes:
None.

4. References

牛牛玩法賠率 IQ Gateway software release notes (8.2.4225)

5. Change log

2024-08-10 ENSA-2024-2: Initial security advisory.

6. Contact and information

cybersecurity@enphase.com
牛牛玩法賠率 security advisories
牛牛玩法賠率 vulnerability reporting
牛牛玩法賠率 documentation center