1. Home
  2. Vulnerabilities
  3. CVE-2024-5217

CVE-2024-5217

CVSS v4.0 9.2 (Critical)
92% Progress
CVSS v3.1 9.8 (Critical)
98% Progress
EPSS 96.00 % (100th)
96.00% Progress
Affected Products 1
Advisories 1
NVD Status Analyzed
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software Graph Web & Social Timeline

ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. The vulnerability is addressed in the listed patches and hot fixes below, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.

Weaknesses
CWE-184
Incomplete List of Disallowed Inputs
CWE-697
Incorrect Comparison
CVE Status
PUBLISHED
NVD Status
Analyzed
CNA
ServiceNow
Published Date
2024-07-10 17:15:12
(8 weeks ago)
Updated Date
2024-07-30 15:20:54
(5 weeks ago)
ServiceNow Incomplete List of Disallowed Inputs Vulnerability (CISA - Known Exploited Vulnerabilities Catalog)
Description
ServiceNow Washington DC, Vancouver, and earlier Now Platform releases contain an incomplete list of disallowed inputs vulnerability in the GlideExpression script. An unauthenticated user could exploit this vulnerability to execute code remotely.
Required Action
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known to be Used in Ransomware Campaigns
Unknown
Notes
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1648313
Vendor
ServiceNow
Product
Utah, Vancouver, and Washington DC Now
In CISA Catalog from
2024-07-29
(5 weeks ago)
Due Date
2024-08-19
(2 weeks ago)

Affected Products

Servicenow

Configuration #1

    CPE23 From Up To
  Servicenow Utah cpe:2.3:a:servicenow:servicenow:utah:-
  Servicenow Utah Patch 1 cpe:2.3:a:servicenow:servicenow:utah:patch_1
  Servicenow Utah Patch 1 Hotfix 1 cpe:2.3:a:servicenow:servicenow:utah:patch_1_hotfix_1
  Servicenow Utah Patch 1 Hotfix 1a cpe:2.3:a:servicenow:servicenow:utah:patch_1_hotfix_1a
  Servicenow Utah Patch 1 Hotfix 1b cpe:2.3:a:servicenow:servicenow:utah:patch_1_hotfix_1b
  Servicenow Utah Patch 1 Hotfix 2 cpe:2.3:a:servicenow:servicenow:utah:patch_1_hotfix_2
  Servicenow Utah Patch 10 cpe:2.3:a:servicenow:servicenow:utah:patch_10
  Servicenow Utah Patch 2 cpe:2.3:a:servicenow:servicenow:utah:patch_2
  Servicenow Utah Patch 2 Hotfix 1 cpe:2.3:a:servicenow:servicenow:utah:patch_2_hotfix_1
  Servicenow Utah Patch 2 Hotfix 2 cpe:2.3:a:servicenow:servicenow:utah:patch_2_hotfix_2
  Servicenow Utah Patch 2 Hotfix 3 cpe:2.3:a:servicenow:servicenow:utah:patch_2_hotfix_3
  Servicenow Utah Patch 3 cpe:2.3:a:servicenow:servicenow:utah:patch_3
  Servicenow Utah Patch 3 Hotfix 1 cpe:2.3:a:servicenow:servicenow:utah:patch_3_hotfix_1
  Servicenow Utah Patch 3 Hotfix 1b cpe:2.3:a:servicenow:servicenow:utah:patch_3_hotfix_1b
  Servicenow Utah Patch 4 cpe:2.3:a:servicenow:servicenow:utah:patch_4
  Servicenow Utah Patch 4 Hotfix 2a cpe:2.3:a:servicenow:servicenow:utah:patch_4_hotfix_2a
  Servicenow Utah Patch 4 Hotfix 2b cpe:2.3:a:servicenow:servicenow:utah:patch_4_hotfix_2b
  Servicenow Utah Patch 5 cpe:2.3:a:servicenow:servicenow:utah:patch_5
  Servicenow Utah Patch 6 cpe:2.3:a:servicenow:servicenow:utah:patch_6
  Servicenow Utah Patch 7 cpe:2.3:a:servicenow:servicenow:utah:patch_7
  Servicenow Utah Patch 7a cpe:2.3:a:servicenow:servicenow:utah:patch_7a
  Servicenow Utah Patch 7b cpe:2.3:a:servicenow:servicenow:utah:patch_7b
  Servicenow Utah Patch 8 cpe:2.3:a:servicenow:servicenow:utah:patch_8
  Servicenow Utah Patch 9 cpe:2.3:a:servicenow:servicenow:utah:patch_9
  Servicenow Utah Patch 9 Hotfix 1a cpe:2.3:a:servicenow:servicenow:utah:patch_9_hotfix_1a
  Servicenow Vancouver cpe:2.3:a:servicenow:servicenow:vancouver:-
  Servicenow Vancouver Patch 1 cpe:2.3:a:servicenow:servicenow:vancouver:patch_1
  Servicenow Vancouver Patch 2 cpe:2.3:a:servicenow:servicenow:vancouver:patch_2
  Servicenow Vancouver Patch 2 Hotfix 1a cpe:2.3:a:servicenow:servicenow:vancouver:patch_2_hotfix_1a
  Servicenow Vancouver Patch 3 cpe:2.3:a:servicenow:servicenow:vancouver:patch_3
  Servicenow Vancouver Patch 4 cpe:2.3:a:servicenow:servicenow:vancouver:patch_4
  Servicenow Vancouver Patch 4 Hotfix 1a cpe:2.3:a:servicenow:servicenow:vancouver:patch_4_hotfix_1a
  Servicenow Vancouver Patch 4 Hotfix 1b cpe:2.3:a:servicenow:servicenow:vancouver:patch_4_hotfix_1b
  Servicenow Vancouver Patch 5 cpe:2.3:a:servicenow:servicenow:vancouver:patch_5
  Servicenow Vancouver Patch 6 cpe:2.3:a:servicenow:servicenow:vancouver:patch_6
  Servicenow Vancouver Patch 7 cpe:2.3:a:servicenow:servicenow:vancouver:patch_7
  Servicenow Vancouver Patch 7 Hotfix 1a cpe:2.3:a:servicenow:servicenow:vancouver:patch_7_hotfix_1a
  Servicenow Vancouver Patch 7 Hotfix 2a cpe:2.3:a:servicenow:servicenow:vancouver:patch_7_hotfix_2a
  Servicenow Vancouver Patch 7 Hotfix 2b cpe:2.3:a:servicenow:servicenow:vancouver:patch_7_hotfix_2b
  Servicenow Vancouver Patch 8 cpe:2.3:a:servicenow:servicenow:vancouver:patch_8
  Servicenow Washington Dc cpe:2.3:a:servicenow:servicenow:washington_dc:-
  Servicenow Washington Dc Patch 1 cpe:2.3:a:servicenow:servicenow:washington_dc:patch_1
  Servicenow Washington Dc Patch 1 Hotfix 2a cpe:2.3:a:servicenow:servicenow:washington_dc:patch_1_hotfix_2a
  Servicenow Washington Dc Patch 2 cpe:2.3:a:servicenow:servicenow:washington_dc:patch_2
  Servicenow Washington Dc Patch 3 cpe:2.3:a:servicenow:servicenow:washington_dc:patch_3