CVE-2024-5217

Warnung

Medienbericht

EPSS 94.11%
Veröffentlicht 10.07.2024 17:15:12
Zuletzt bearbeitet 03.11.2025 18:58:17
Quelle psirt@servicenow.com
CVE-Watchlists
Login
Unerledigt
Login

ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. The vulnerability is addressed in the listed patches and hot fixes below, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.

Betroffene Produkte Warnungen 1 Metriken 4 CWE 2 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Servicenow ≫ Servicenow Versionutah Update-

Servicenow ≫ Servicenow Versionutah Updateearly_availability

Servicenow ≫ Servicenow Versionutah Updatepatch_1

Servicenow ≫ Servicenow Versionutah Updatepatch_1_hotfix_1

Servicenow ≫ Servicenow Versionutah Updatepatch_1_hotfix_1a

Servicenow ≫ Servicenow Versionutah Updatepatch_1_hotfix_1b

Servicenow ≫ Servicenow Versionutah Updatepatch_1_hotfix_2

Servicenow ≫ Servicenow Versionutah Updatepatch_10

Servicenow ≫ Servicenow Versionutah Updatepatch_10_hotfix_1

Servicenow ≫ Servicenow Versionutah Updatepatch_10_hotfix_2

Servicenow ≫ Servicenow Versionutah Updatepatch_10a

Servicenow ≫ Servicenow Versionutah Updatepatch_10a_hotfix_1

Servicenow ≫ Servicenow Versionutah Updatepatch_10b

Servicenow ≫ Servicenow Versionutah Updatepatch_2

Servicenow ≫ Servicenow Versionutah Updatepatch_2_hotfix_1

Servicenow ≫ Servicenow Versionutah Updatepatch_2_hotfix_2

Servicenow ≫ Servicenow Versionutah Updatepatch_2_hotfix_3

Servicenow ≫ Servicenow Versionutah Updatepatch_2_hotfix_4

Servicenow ≫ Servicenow Versionutah Updatepatch_3

Servicenow ≫ Servicenow Versionutah Updatepatch_3_hotfix_1

Servicenow ≫ Servicenow Versionutah Updatepatch_3_hotfix_1b

Servicenow ≫ Servicenow Versionutah Updatepatch_4

Servicenow ≫ Servicenow Versionutah Updatepatch_4_hotfix_1

Servicenow ≫ Servicenow Versionutah Updatepatch_4_hotfix_2

Servicenow ≫ Servicenow Versionutah Updatepatch_4_hotfix_2a

Servicenow ≫ Servicenow Versionutah Updatepatch_4_hotfix_2b

Servicenow ≫ Servicenow Versionutah Updatepatch_4_hotfix_3

Servicenow ≫ Servicenow Versionutah Updatepatch_4_hotfix_3b

Servicenow ≫ Servicenow Versionutah Updatepatch_4_hotfix_4

Servicenow ≫ Servicenow Versionutah Updatepatch_4_hotfix_4b

Servicenow ≫ Servicenow Versionutah Updatepatch_4_hotfix_5

Servicenow ≫ Servicenow Versionutah Updatepatch_5

Servicenow ≫ Servicenow Versionutah Updatepatch_5_hotfix_1

Servicenow ≫ Servicenow Versionutah Updatepatch_6

Servicenow ≫ Servicenow Versionutah Updatepatch_6_hotfix_1

Servicenow ≫ Servicenow Versionutah Updatepatch_6_hotfix_2

Servicenow ≫ Servicenow Versionutah Updatepatch_7

Servicenow ≫ Servicenow Versionutah Updatepatch_7_hotfix_1

Servicenow ≫ Servicenow Versionutah Updatepatch_7_hotfix_2

Servicenow ≫ Servicenow Versionutah Updatepatch_7a

Servicenow ≫ Servicenow Versionutah Updatepatch_7b

Servicenow ≫ Servicenow Versionutah Updatepatch_8

Servicenow ≫ Servicenow Versionutah Updatepatch_8_hotfix_2

Servicenow ≫ Servicenow Versionutah Updatepatch_9

Servicenow ≫ Servicenow Versionutah Updatepatch_9_hotfix_1

Servicenow ≫ Servicenow Versionutah Updatepatch_9_hotfix_1a

Servicenow ≫ Servicenow Versionutah Updatepatch_9_hotfix_1b

Servicenow ≫ Servicenow Versionvancouver Update-

Servicenow ≫ Servicenow Versionvancouver Updatepatch_1

Servicenow ≫ Servicenow Versionvancouver Updatepatch_1_hotfix_1

Servicenow ≫ Servicenow Versionvancouver Updatepatch_2

Servicenow ≫ Servicenow Versionvancouver Updatepatch_2_hotfix_1

Servicenow ≫ Servicenow Versionvancouver Updatepatch_2_hotfix_1a

Servicenow ≫ Servicenow Versionvancouver Updatepatch_2_hotfix_2

Servicenow ≫ Servicenow Versionvancouver Updatepatch_2_hotfix_3

Servicenow ≫ Servicenow Versionvancouver Updatepatch_2_hotfix1a

Servicenow ≫ Servicenow Versionvancouver Updatepatch_3

Servicenow ≫ Servicenow Versionvancouver Updatepatch_3_hotfix_1

Servicenow ≫ Servicenow Versionvancouver Updatepatch_3_hotfix_2

Servicenow ≫ Servicenow Versionvancouver Updatepatch_3_hotfix_3

Servicenow ≫ Servicenow Versionvancouver Updatepatch_3_hotfix_4

Servicenow ≫ Servicenow Versionvancouver Updatepatch_4

Servicenow ≫ Servicenow Versionvancouver Updatepatch_4_hotfix_1

Servicenow ≫ Servicenow Versionvancouver Updatepatch_4_hotfix_1a

Servicenow ≫ Servicenow Versionvancouver Updatepatch_4_hotfix_1b

Servicenow ≫ Servicenow Versionvancouver Updatepatch_4_hotfix_2b

Servicenow ≫ Servicenow Versionvancouver Updatepatch_5

Servicenow ≫ Servicenow Versionvancouver Updatepatch_5_hotfix_1

Servicenow ≫ Servicenow Versionvancouver Updatepatch_6

Servicenow ≫ Servicenow Versionvancouver Updatepatch_6_hotfix_1

Servicenow ≫ Servicenow Versionvancouver Updatepatch_7

Servicenow ≫ Servicenow Versionvancouver Updatepatch_7_hotfix_1

Servicenow ≫ Servicenow Versionvancouver Updatepatch_7_hotfix_1a

Servicenow ≫ Servicenow Versionvancouver Updatepatch_7_hotfix_2

Servicenow ≫ Servicenow Versionvancouver Updatepatch_7_hotfix_2a

Servicenow ≫ Servicenow Versionvancouver Updatepatch_7_hotfix_2b

Servicenow ≫ Servicenow Versionvancouver Updatepatch_7_hotfix_3a

Servicenow ≫ Servicenow Versionvancouver Updatepatch_7_hotfix_4

Servicenow ≫ Servicenow Versionvancouver Updatepatch_7_hotifix_1a

Servicenow ≫ Servicenow Versionvancouver Updatepatch_7_hotifix_1b

Servicenow ≫ Servicenow Versionvancouver Updatepatch_7_hotifix_2a

Servicenow ≫ Servicenow Versionvancouver Updatepatch_7_hotifix_2b

Servicenow ≫ Servicenow Versionvancouver Updatepatch_8

Servicenow ≫ Servicenow Versionvancouver Updatepatch_8_hotfix_1

Servicenow ≫ Servicenow Versionvancouver Updatepatch_8_hotfix_2

Servicenow ≫ Servicenow Versionvancouver Updatepatch_8_hotfix_3

Servicenow ≫ Servicenow Versionvancouver Updatepatch_9

Servicenow ≫ Servicenow Versionwashington_dc Update-

Servicenow ≫ Servicenow Versionwashington_dc Updatepatch_1

Servicenow ≫ Servicenow Versionwashington_dc Updatepatch_1_hotfix_1

Servicenow ≫ Servicenow Versionwashington_dc Updatepatch_1_hotfix_2

Servicenow ≫ Servicenow Versionwashington_dc Updatepatch_1_hotfix_2a

Servicenow ≫ Servicenow Versionwashington_dc Updatepatch_1_hotfix_2b

Servicenow ≫ Servicenow Versionwashington_dc Updatepatch_2

Servicenow ≫ Servicenow Versionwashington_dc Updatepatch_2_hotfix_1

Servicenow ≫ Servicenow Versionwashington_dc Updatepatch_3

Servicenow ≫ Servicenow Versionwashington_dc Updatepatch_3_hotfix_1

Servicenow ≫ Servicenow Versionwashington_dc Updatepatch_4

Servicenow ≫ Servicenow Versionwashington_dc Updatepatch_5

29.07.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog

ServiceNow Incomplete List of Disallowed Inputs Vulnerability

Schwachstelle

ServiceNow Washington DC, Vancouver, and earlier Now Platform releases contain an incomplete list of disallowed inputs vulnerability in the GlideExpression script. An unauthenticated user could exploit this vulnerability to execute code remotely.

Beschreibung

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	94.11%	0.999

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
psirt@servicenow.com	9.2	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
psirt@servicenow.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-184 Incomplete List of Disallowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

CWE-697 Incorrect Comparison

The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1644293

Permissions Required

https://www.darkreading.com/cloud-security/patchnow-servicenow-critical-rce-bugs-active-exploit

Press/Media Coverage

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1648313

Vendor Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-5217

US Government Resource

https://nvd.nist.gov/vuln/detail/CVE-2024-5217

CVE Source (NVD)