CVE-2024-5178 | THREATINT

Assigner	SN
Reserved	2024-05-21
Published	2024-07-10
Updated	2024-08-01

Description

ServiceNow has addressed a sensitive file read vulnerability that was identified in the Washington DC, Vancouver, and Utah Now Platform releases. This vulnerability could allow an administrative user to gain unauthorized access to sensitive files on the web application server. The vulnerability is addressed in the listed patches and hot fixes, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.

MEDIUM: 6.9	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
MEDIUM: 4.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-184 Incomplete List of Disallowed Inputs

Product status

Default status

unaffected

Any version before Utah Patch 10 Hot Fix 3

affected

Any version before Utah Patch 10a Hot Fix 2

affected

Any version before Utah Patch 10b Hot Fix 1

affected

Any version before Vancouver Patch 6 Hot Fix 2

affected

Any version before Vancouver Patch 7 Hot Fix 3b

affected

Any version before Vancouver Patch 8 Hot Fix 4

affected

Any version before Vancouver Patch 9 Hot Fix 1

affected

Any version before Vancouver Patch 10

affected

Any version before Washington DC Patch 1 Hot Fix 3b

affected

Any version before Washington DC Patch 2 Hot Fix 2

affected

Any version before Washington DC Patch 3 Hot Fix 2

affected

Any version before Washington DC Patch 4

affected

Credits

Adam Kues 0x4004d92bd0

Assetnote Attack Surface Management 0x4004d92be0

References

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1648312

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1644293

cve.org CVE-2024-5178

nvd.nist.gov CVE-2024-5178

Download JSON