CVE-2024-5217
Incomplete Input Validation in GlideExpression Script
In short
ServiceNow's GlideExpression script engine fails to properly validate user input, allowing attackers without authentication to execute arbitrary code on the platform. This is critical because it exposes the entire Now Platform infrastructure to remote compromise.
Technical detail
CWE-184 (Incomplete Input Validation) in GlideExpression permits unauthenticated remote code execution via inadequately sanitized script input. The vulnerability affects Washington DC, Vancouver, and earlier releases; exploitation occurs when untrusted input reaches the script execution context without sufficient validation, resulting in arbitrary code execution with platform privileges.
Summary generated and translated by AI from the official description.
ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. The vulnerability is addressed in the listed patches and hot fixes below, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
ServiceNow · Now PlatformWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1644293https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1648313https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-5217https://www.darkreading.com/cloud-security/patchnow-servicenow-critical-rce-bugs-active-exploit