{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-2005","assignerOrgId":"7bd90cf1-1651-495e-9ae8-9415fb3c9feb","state":"PUBLISHED","assignerShortName":"Ciena","dateReserved":"2024-02-29T11:16:19.384Z","datePublished":"2024-03-05T18:54:00.839Z","dateUpdated":"2024-08-29T17:10:16.253Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Inventory (BPI)","vendor":"Blue Planet","versions":[{"lessThanOrEqual":" 22.12","status":"affected","version":" early versions ","versionType":"custom"},{"status":"unaffected","version":" 21.10 MR11"},{"status":"unaffected","version":" 22.02 MR5"},{"status":"unaffected","version":" 22.08 MR4"}]},{"defaultStatus":"unaffected","product":"Orchestration (BPO)","vendor":"Blue Planet","versions":[{"lessThanOrEqual":" 22.12","status":"affected","version":" early versions ","versionType":"custom"},{"status":"unaffected","version":" 22.02.03"},{"status":"unaffected","version":" 22.08.05"},{"status":"unaffected","version":" 22.12.02"}]},{"defaultStatus":"unaffected","product":"Route Optimization and Analysis (ROA)","vendor":"Blue Planet","versions":[{"lessThanOrEqual":" 22.12","status":"affected","version":" early versions ","versionType":"custom"},{"status":"unaffected","version":" 22.02.P01.11-R"},{"status":"unaffected","version":" 22.08.P01.1-R"},{"status":"unaffected","version":" 22.12.P01.2.1-R"}]},{"defaultStatus":"unaffected","product":"Unified Assurance and Analytics (UAA) ","vendor":"Blue Planet","versions":[{"lessThanOrEqual":" 22.12","status":"affected","version":" early versions ","versionType":"custom"},{"status":"unaffected","version":" 22.02 MR5"},{"status":"unaffected","version":" 22.12 MR2"}]}],"credits":[{"lang":"en","type":"finder","value":"Discovered by Prerit Chandok at Comcast"}],"datePublic":"2024-03-04T17:07:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>\n\n</p><p>In Blue Planet®  products through 22.12, a misconfiguration in the SAML implementation allows for privilege escalation. Only products using SAML authentication are affected.<br><br>Blue Planet® has released software updates that address this vulnerability for the affected products. Customers are advised to upgrade their Blue Planet products to the latest software version as soon as possible. The software updates can be downloaded from the Ciena Support Portal.<br></p>\n\n<br><p></p>\n\n\n\n\n\n"}],"value":"\nIn Blue Planet®  products through 22.12, a misconfiguration in the SAML implementation allows for privilege escalation. Only products using SAML authentication are affected.\n\nBlue Planet® has released software updates that address this vulnerability for the affected products. Customers are advised to upgrade their Blue Planet products to the latest software version as soon as possible. The software updates can be downloaded from the Ciena Support Portal.\n\n"}],"impacts":[{"capecId":"CAPEC-233","descriptions":[{"lang":"en","value":"CAPEC-233 Privilege Escalation"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-269","description":"CWE-269 Improper Privilege Management","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"7bd90cf1-1651-495e-9ae8-9415fb3c9feb","shortName":"Ciena","dateUpdated":"2024-04-03T16:34:59.282Z"},"references":[{"url":"https://www.ciena.com/product-security"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"\n\nSoftware patch to be applied<br>"}],"value":"\nSoftware patch to be applied\n"}],"source":{"discovery":"UNKNOWN"},"title":"SAML implementation allows privilege escalation","x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-01T18:56:22.708Z"},"title":"CVE Program Container","references":[{"url":"https://www.ciena.com/product-security","tags":["x_transferred"]}]},{"affected":[{"vendor":"blueplanet","product":"orchestration","cpes":["cpe:2.3:a:blueplanet:orchestration:*:*:*:*:*:*:*:*"],"defaultStatus":"unaffected","versions":[{"version":"0","status":"affected","lessThanOrEqual":"22.12","versionType":"custom"},{"version":"22.02.03","status":"unaffected"},{"version":"22.08.05","status":"unaffected"},{"version":"22.12.02","status":"unaffected"}]},{"vendor":"blueplanet","product":"route_optimization_and_analysis","cpes":["cpe:2.3:a:blueplanet:route_optimization_and_analysis:*:*:*:*:*:*:*:*"],"defaultStatus":"unaffected","versions":[{"version":"0","status":"affected","lessThanOrEqual":"22.12","versionType":"custom"},{"version":"22.02.p01.11-r","status":"unaffected"},{"version":"22.08.p01.1-r","status":"unaffected"},{"version":"22.12.p01.2.1-r","status":"unaffected"}]},{"vendor":"blueplanet","product":"inventory","cpes":["cpe:2.3:a:blueplanet:inventory:*:*:*:*:*:*:*:*"],"defaultStatus":"unaffected","versions":[{"version":"0","status":"affected","lessThanOrEqual":"22.12","versionType":"custom"},{"version":"21.10_mr11","status":"unaffected"},{"version":"22.02_mr5","status":"unaffected"},{"version":"22.08_mr4","status":"unaffected"}]},{"vendor":"blueplanet","product":"unified_assurance_and_analytics","cpes":["cpe:2.3:a:blueplanet:unified_assurance_and_analytics:*:*:*:*:*:*:*:*"],"defaultStatus":"unaffected","versions":[{"version":"0","status":"affected","lessThanOrEqual":"22.12","versionType":"custom"},{"version":"22.02_mr5","status":"unaffected"},{"version":"22.12_mr2","status":"unaffected"}]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-08-29T16:53:33.497826Z","id":"CVE-2024-2005","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-08-29T17:10:16.253Z"}}]}}