Platform
other
Component
blue-planet-inventory-bpi
Fixed in
22.12.1
22.12.1
22.12.1
22.12.1
CVE-2024-2005 is a privilege escalation vulnerability affecting Blue Planet Inventory (BPI) versions up to 22.12.P01.2.1-R. This flaw stems from a misconfiguration within the SAML authentication implementation, enabling unauthorized privilege elevation. Successful exploitation requires the use of SAML authentication. A fix is available in version 22.12.1.
An attacker exploiting CVE-2024-2005 could gain elevated privileges within the Blue Planet Inventory system. This could allow them to perform actions they are not authorized to do, such as modifying network configurations, accessing sensitive data, or potentially gaining control of the entire system. The impact is particularly severe because BPI is often used to manage critical network infrastructure, and unauthorized changes could disrupt services or compromise security. The ability to escalate privileges through a misconfiguration highlights the importance of secure SAML implementation and regular security audits.
CVE-2024-2005 was publicly disclosed on March 5, 2024. The vulnerability's severity is rated as CRITICAL (CVSS score 9.0). There are currently no publicly available proof-of-concept exploits. It is not currently listed on CISA KEV. Active exploitation is not confirmed at this time, but the critical severity warrants immediate attention and patching.
Exploit Status
EPSS
0.07% (22% percentile)
CVSS Vector
The primary mitigation for CVE-2024-2005 is to upgrade Blue Planet Inventory to version 22.12.1 or later. Prior to upgrading, it is highly recommended to review and validate all SAML configurations to ensure they adhere to security best practices. Specifically, verify that SAML assertions are properly validated and that access controls are enforced. If an immediate upgrade is not possible, consider temporarily disabling SAML authentication and reverting to a different authentication method, although this will impact user access. After upgrading, confirm the fix by attempting to reproduce the privilege escalation scenario with a non-administrative user account and verifying that the attempt fails.
Update Blue Planet Inventory (BPI) to the latest version available from the Ciena Support Portal. This will correct the privilege escalation vulnerability in the SAML implementation. See the Ciena security advisory for more details.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-2005 is a critical vulnerability in Blue Planet Inventory where a SAML misconfiguration allows attackers to escalate privileges, potentially gaining unauthorized access and control.
You are affected if you are using Blue Planet Inventory versions 22.12.P01.2.1-R or earlier and have SAML authentication enabled.
Upgrade Blue Planet Inventory to version 22.12.1 or later. Review and validate all SAML configurations to ensure security best practices are followed.
Active exploitation is not currently confirmed, but the vulnerability's critical severity warrants immediate patching.
Refer to the Ciena Support Portal for the official advisory and software updates related to CVE-2024-2005.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.