Lucene search

CienaCVELIST:CVE-2024-2005

HistoryMar 05, 2024 - 6:54 p.m.

CVE-2024-2005 SAML implementation allows privilege escalation

2024-03-0518:54:00

CWE-269

Ciena

www.cve.org

cve-2024-2005

saml implementation

privilege escalation

blue planet®

misconfiguration

software updates

ciena support portal

9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

In Blue Planet® products through 22.12, a misconfiguration in the SAML implementation allows for privilege escalation. Only products using SAML authentication are affected.

Blue Planet® has released software updates that address this vulnerability for the affected products. Customers are advised to upgrade their Blue Planet products to the latest software version as soon as possible. The software updates can be downloaded from the Ciena Support Portal.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Inventory (BPI)",
    "vendor": "Blue Planet",
    "versions": [
      {
        "lessThanOrEqual": " 22.12",
        "status": "affected",
        "version": " early versions ",
        "versionType": "custom"
      },
      {
        "status": "unaffected",
        "version": " 21.10 MR11"
      },
      {
        "status": "unaffected",
        "version": " 22.02 MR5"
      },
      {
        "status": "unaffected",
        "version": " 22.08 MR4"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "Orchestration (BPO)",
    "vendor": "Blue Planet",
    "versions": [
      {
        "lessThanOrEqual": " 22.12",
        "status": "affected",
        "version": " early versions ",
        "versionType": "custom"
      },
      {
        "status": "unaffected",
        "version": " 22.02.03"
      },
      {
        "status": "unaffected",
        "version": " 22.08.05"
      },
      {
        "status": "unaffected",
        "version": " 22.12.02"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "Route Optimization and Analysis (ROA)",
    "vendor": "Blue Planet",
    "versions": [
      {
        "lessThanOrEqual": " 22.12",
        "status": "affected",
        "version": " early versions ",
        "versionType": "custom"
      },
      {
        "status": "unaffected",
        "version": " 22.02.P01.11-R"
      },
      {
        "status": "unaffected",
        "version": " 22.08.P01.1-R"
      },
      {
        "status": "unaffected",
        "version": " 22.12.P01.2.1-R"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "Unified Assurance and Analytics (UAA) ",
    "vendor": "Blue Planet",
    "versions": [
      {
        "lessThanOrEqual": " 22.12",
        "status": "affected",
        "version": " early versions ",
        "versionType": "custom"
      },
      {
        "status": "unaffected",
        "version": " 22.02 MR5"
      },
      {
        "status": "unaffected",
        "version": " 22.12 MR2"
      }
    ]
  }
]

References

www.ciena.com/product-security

9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for CVELIST:CVE-2024-2005