github - ghsa-j7p2-m4ff-pw4r

GHSA-J7P2-M4FF-PW4R

Vulnerability from github – Published: 2024-03-06 12:30 – Updated: 2025-11-13 18:30

Details

In Blue Planet® products through 22.12, a misconfiguration in the SAML implementation allows for privilege escalation. Only products using SAML authentication are affected.

Blue Planet® has released software updates that address this vulnerability for the affected products. Customers are advised to upgrade their Blue Planet products to the latest software version as soon as possible. The software updates can be downloaded from the Ciena Support Portal.

Severity ?

9.0 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-2005"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-06T12:15:45Z",
    "severity": "CRITICAL"
  },
  "details": "In Blue Planet\u00ae  products through 22.12, a misconfiguration in the SAML implementation allows for privilege escalation. Only products using SAML authentication are affected.\n\nBlue Planet\u00ae has released software updates that address this vulnerability for the affected products. Customers are advised to upgrade their Blue Planet products to the latest software version as soon as possible. The software updates can be downloaded from the Ciena Support Portal.",
  "id": "GHSA-j7p2-m4ff-pw4r",
  "modified": "2025-11-13T18:30:59Z",
  "published": "2024-03-06T12:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2005"
    },
    {
      "type": "WEB",
      "url": "https://www.ciena.com/product-security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2024-2005 (GCVE-0-2024-2005)

Vulnerability from cvelistv5 – Published: 2024-03-05 18:54 – Updated: 2024-08-29 17:10

Summary

In Blue Planet® products through 22.12, a misconfiguration in the SAML implementation allows for privilege escalation. Only products using SAML authentication are affected. Blue Planet® has released software updates that address this vulnerability for the affected products. Customers are advised to upgrade their Blue Planet products to the latest software version as soon as possible. The software updates can be downloaded from the Ciena Support Portal.

Severity ?

9 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-269 - Improper Privilege Management

Assigner

Ciena

References

URL

Tags

https://www.ciena.com/product-security

Impacted products

Vendor

Product

Version

Blue Planet

Inventory (BPI)

Affected: early versions , ≤ 22.12 (custom)
Unaffected: 21.10 MR11
Unaffected: 22.02 MR5
Unaffected: 22.08 MR4

Blue Planet	Orchestration (BPO)	Affected: early versions , ≤ 22.12 (custom) Unaffected: 22.02.03 Unaffected: 22.08.05 Unaffected: 22.12.02
Blue Planet	Route Optimization and Analysis (ROA)	Affected: early versions , ≤ 22.12 (custom) Unaffected: 22.02.P01.11-R Unaffected: 22.08.P01.1-R Unaffected: 22.12.P01.2.1-R
Blue Planet	Unified Assurance and Analytics (UAA)	Affected: early versions , ≤ 22.12 (custom) Unaffected: 22.02 MR5 Unaffected: 22.12 MR2

Credits

Discovered by Prerit Chandok at Comcast

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T18:56:22.708Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.ciena.com/product-security"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:blueplanet:orchestration:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "orchestration",
            "vendor": "blueplanet",
            "versions": [
              {
                "lessThanOrEqual": "22.12",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              },
              {
                "status": "unaffected",
                "version": "22.02.03"
              },
              {
                "status": "unaffected",
                "version": "22.08.05"
              },
              {
                "status": "unaffected",
                "version": "22.12.02"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:blueplanet:route_optimization_and_analysis:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "route_optimization_and_analysis",
            "vendor": "blueplanet",
            "versions": [
              {
                "lessThanOrEqual": "22.12",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              },
              {
                "status": "unaffected",
                "version": "22.02.p01.11-r"
              },
              {
                "status": "unaffected",
                "version": "22.08.p01.1-r"
              },
              {
                "status": "unaffected",
                "version": "22.12.p01.2.1-r"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:blueplanet:inventory:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "inventory",
            "vendor": "blueplanet",
            "versions": [
              {
                "lessThanOrEqual": "22.12",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              },
              {
                "status": "unaffected",
                "version": "21.10_mr11"
              },
              {
                "status": "unaffected",
                "version": "22.02_mr5"
              },
              {
                "status": "unaffected",
                "version": "22.08_mr4"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:blueplanet:unified_assurance_and_analytics:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "unified_assurance_and_analytics",
            "vendor": "blueplanet",
            "versions": [
              {
                "lessThanOrEqual": "22.12",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              },
              {
                "status": "unaffected",
                "version": "22.02_mr5"
              },
              {
                "status": "unaffected",
                "version": "22.12_mr2"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-2005",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-29T16:53:33.497826Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-29T17:10:16.253Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Inventory (BPI)",
          "vendor": "Blue Planet",
          "versions": [
            {
              "lessThanOrEqual": " 22.12",
              "status": "affected",
              "version": " early versions ",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": " 21.10 MR11"
            },
            {
              "status": "unaffected",
              "version": " 22.02 MR5"
            },
            {
              "status": "unaffected",
              "version": " 22.08 MR4"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Orchestration (BPO)",
          "vendor": "Blue Planet",
          "versions": [
            {
              "lessThanOrEqual": " 22.12",
              "status": "affected",
              "version": " early versions ",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": " 22.02.03"
            },
            {
              "status": "unaffected",
              "version": " 22.08.05"
            },
            {
              "status": "unaffected",
              "version": " 22.12.02"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Route Optimization and Analysis (ROA)",
          "vendor": "Blue Planet",
          "versions": [
            {
              "lessThanOrEqual": " 22.12",
              "status": "affected",
              "version": " early versions ",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": " 22.02.P01.11-R"
            },
            {
              "status": "unaffected",
              "version": " 22.08.P01.1-R"
            },
            {
              "status": "unaffected",
              "version": " 22.12.P01.2.1-R"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Unified Assurance and Analytics (UAA) ",
          "vendor": "Blue Planet",
          "versions": [
            {
              "lessThanOrEqual": " 22.12",
              "status": "affected",
              "version": " early versions ",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": " 22.02 MR5"
            },
            {
              "status": "unaffected",
              "version": " 22.12 MR2"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Discovered by Prerit Chandok at Comcast"
        }
      ],
      "datePublic": "2024-03-04T17:07:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\n\n\u003c/p\u003e\u003cp\u003eIn Blue Planet\u00ae  products through 22.12, a misconfiguration in the SAML implementation allows for privilege escalation. Only products using SAML authentication are affected.\u003cbr\u003e\u003cbr\u003eBlue Planet\u00ae has released software updates that address this vulnerability for the affected products. Customers are advised to upgrade their Blue Planet products to the latest software version as soon as possible. The software updates can be downloaded from the Ciena Support Portal.\u003cbr\u003e\u003c/p\u003e\n\n\u003cbr\u003e\u003cp\u003e\u003c/p\u003e\n\n\n\n\n\n"
            }
          ],
          "value": "\nIn Blue Planet\u00ae  products through 22.12, a misconfiguration in the SAML implementation allows for privilege escalation. Only products using SAML authentication are affected.\n\nBlue Planet\u00ae has released software updates that address this vulnerability for the affected products. Customers are advised to upgrade their Blue Planet products to the latest software version as soon as possible. The software updates can be downloaded from the Ciena Support Portal.\n\n"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-233",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-233 Privilege Escalation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269 Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-04-03T16:34:59.282Z",
        "orgId": "7bd90cf1-1651-495e-9ae8-9415fb3c9feb",
        "shortName": "Ciena"
      },
      "references": [
        {
          "url": "https://www.ciena.com/product-security"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\nSoftware patch to be applied\u003cbr\u003e"
            }
          ],
          "value": "\nSoftware patch to be applied\n"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "SAML implementation allows privilege escalation",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7bd90cf1-1651-495e-9ae8-9415fb3c9feb",
    "assignerShortName": "Ciena",
    "cveId": "CVE-2024-2005",
    "datePublished": "2024-03-05T18:54:00.839Z",
    "dateReserved": "2024-02-29T11:16:19.384Z",
    "dateUpdated": "2024-08-29T17:10:16.253Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-J7P2-M4FF-PW4R

CVE-2024-2005 (GCVE-0-2024-2005)

Tags

Sightings

Nomenclature