mirror of
https://github.com/fkie-cad/nvd-json-data-feeds.git
synced 2025-05-28 01:02:25 +00:00
392 lines
16 KiB
JSON
392 lines
16 KiB
JSON
{
|
|
"id": "CVE-2024-5217",
|
|
"sourceIdentifier": "psirt@servicenow.com",
|
|
"published": "2024-07-10T17:15:12.373",
|
|
"lastModified": "2024-07-30T15:20:54.727",
|
|
"vulnStatus": "Analyzed",
|
|
"cveTags": [],
|
|
"cisaExploitAdd": "2024-07-29",
|
|
"cisaActionDue": "2024-08-19",
|
|
"cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
|
|
"cisaVulnerabilityName": "ServiceNow Incomplete List of Disallowed Inputs Vulnerability",
|
|
"descriptions": [
|
|
{
|
|
"lang": "en",
|
|
"value": "ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform.\u00a0The vulnerability is addressed in the listed patches and hot fixes below, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible."
|
|
},
|
|
{
|
|
"lang": "es",
|
|
"value": "ServiceNow ha abordado una vulnerabilidad de validaci\u00f3n de entrada que se identific\u00f3 en las versiones de Washington DC, Vancouver y versiones anteriores de Now Platform. Esta vulnerabilidad podr\u00eda permitir que un usuario no autenticado ejecute c\u00f3digo de forma remota dentro del contexto de Now Platform. La vulnerabilidad se aborda en los parches y correcciones urgentes que se enumeran a continuaci\u00f3n, que se lanzaron durante el ciclo de parches de junio de 2024. Si a\u00fan no lo ha hecho, le recomendamos aplicar los parches de seguridad relevantes para su instancia lo antes posible."
|
|
}
|
|
],
|
|
"metrics": {
|
|
"cvssMetricV40": [
|
|
{
|
|
"source": "psirt@servicenow.com",
|
|
"type": "Secondary",
|
|
"cvssData": {
|
|
"version": "4.0",
|
|
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
|
|
"attackVector": "NETWORK",
|
|
"attackComplexity": "LOW",
|
|
"attackRequirements": "PRESENT",
|
|
"privilegesRequired": "NONE",
|
|
"userInteraction": "NONE",
|
|
"vulnerableSystemConfidentiality": "HIGH",
|
|
"vulnerableSystemIntegrity": "HIGH",
|
|
"vulnerableSystemAvailability": "HIGH",
|
|
"subsequentSystemConfidentiality": "NONE",
|
|
"subsequentSystemIntegrity": "NONE",
|
|
"subsequentSystemAvailability": "NONE",
|
|
"exploitMaturity": "NOT_DEFINED",
|
|
"confidentialityRequirements": "NOT_DEFINED",
|
|
"integrityRequirements": "NOT_DEFINED",
|
|
"availabilityRequirements": "NOT_DEFINED",
|
|
"modifiedAttackVector": "NOT_DEFINED",
|
|
"modifiedAttackComplexity": "NOT_DEFINED",
|
|
"modifiedAttackRequirements": "NOT_DEFINED",
|
|
"modifiedPrivilegesRequired": "NOT_DEFINED",
|
|
"modifiedUserInteraction": "NOT_DEFINED",
|
|
"modifiedVulnerableSystemConfidentiality": "NOT_DEFINED",
|
|
"modifiedVulnerableSystemIntegrity": "NOT_DEFINED",
|
|
"modifiedVulnerableSystemAvailability": "NOT_DEFINED",
|
|
"modifiedSubsequentSystemConfidentiality": "NOT_DEFINED",
|
|
"modifiedSubsequentSystemIntegrity": "NOT_DEFINED",
|
|
"modifiedSubsequentSystemAvailability": "NOT_DEFINED",
|
|
"safety": "NOT_DEFINED",
|
|
"automatable": "NOT_DEFINED",
|
|
"recovery": "NOT_DEFINED",
|
|
"valueDensity": "NOT_DEFINED",
|
|
"vulnerabilityResponseEffort": "NOT_DEFINED",
|
|
"providerUrgency": "NOT_DEFINED",
|
|
"baseScore": 9.2,
|
|
"baseSeverity": "CRITICAL"
|
|
}
|
|
}
|
|
],
|
|
"cvssMetricV31": [
|
|
{
|
|
"source": "nvd@nist.gov",
|
|
"type": "Primary",
|
|
"cvssData": {
|
|
"version": "3.1",
|
|
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
|
"attackVector": "NETWORK",
|
|
"attackComplexity": "LOW",
|
|
"privilegesRequired": "NONE",
|
|
"userInteraction": "NONE",
|
|
"scope": "UNCHANGED",
|
|
"confidentialityImpact": "HIGH",
|
|
"integrityImpact": "HIGH",
|
|
"availabilityImpact": "HIGH",
|
|
"baseScore": 9.8,
|
|
"baseSeverity": "CRITICAL"
|
|
},
|
|
"exploitabilityScore": 3.9,
|
|
"impactScore": 5.9
|
|
},
|
|
{
|
|
"source": "psirt@servicenow.com",
|
|
"type": "Secondary",
|
|
"cvssData": {
|
|
"version": "3.1",
|
|
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
|
"attackVector": "NETWORK",
|
|
"attackComplexity": "LOW",
|
|
"privilegesRequired": "NONE",
|
|
"userInteraction": "NONE",
|
|
"scope": "UNCHANGED",
|
|
"confidentialityImpact": "HIGH",
|
|
"integrityImpact": "HIGH",
|
|
"availabilityImpact": "HIGH",
|
|
"baseScore": 9.8,
|
|
"baseSeverity": "CRITICAL"
|
|
},
|
|
"exploitabilityScore": 3.9,
|
|
"impactScore": 5.9
|
|
}
|
|
]
|
|
},
|
|
"weaknesses": [
|
|
{
|
|
"source": "nvd@nist.gov",
|
|
"type": "Primary",
|
|
"description": [
|
|
{
|
|
"lang": "en",
|
|
"value": "CWE-697"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"source": "psirt@servicenow.com",
|
|
"type": "Secondary",
|
|
"description": [
|
|
{
|
|
"lang": "en",
|
|
"value": "CWE-184"
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"configurations": [
|
|
{
|
|
"nodes": [
|
|
{
|
|
"operator": "OR",
|
|
"negate": false,
|
|
"cpeMatch": [
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:utah:-:*:*:*:*:*:*",
|
|
"matchCriteriaId": "69E0078E-1953-4F4F-9D5A-B1A140C4B310"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:utah:patch_1:*:*:*:*:*:*",
|
|
"matchCriteriaId": "DB5CA109-5DC1-4952-AC15-69FAC332BCA2"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:utah:patch_1_hotfix_1:*:*:*:*:*:*",
|
|
"matchCriteriaId": "44506775-0370-4583-9236-6C9F646B6622"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:utah:patch_1_hotfix_1a:*:*:*:*:*:*",
|
|
"matchCriteriaId": "1A76B918-45DB-49A9-B323-5CB6FF8200AA"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:utah:patch_1_hotfix_1b:*:*:*:*:*:*",
|
|
"matchCriteriaId": "118B4618-8702-4C38-88EE-B41C2C9DBF31"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:utah:patch_1_hotfix_2:*:*:*:*:*:*",
|
|
"matchCriteriaId": "92BED123-0FFC-4113-B0B6-A1A8BD69F4CF"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:utah:patch_10:*:*:*:*:*:*",
|
|
"matchCriteriaId": "76439FC6-2DD2-4AD4-9EB6-A2FEAC10B205"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:utah:patch_2:*:*:*:*:*:*",
|
|
"matchCriteriaId": "98E3E0AF-A341-43BB-91C6-75BBDE695280"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:utah:patch_2_hotfix_1:*:*:*:*:*:*",
|
|
"matchCriteriaId": "20AC3991-0E5B-4164-807F-0E270B1867BE"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:utah:patch_2_hotfix_2:*:*:*:*:*:*",
|
|
"matchCriteriaId": "44F86BEB-77D0-41AF-816C-F73B2D9601FE"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:utah:patch_2_hotfix_3:*:*:*:*:*:*",
|
|
"matchCriteriaId": "C9C467AA-B1A2-4A2A-8363-623232BCBCA0"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:utah:patch_3:*:*:*:*:*:*",
|
|
"matchCriteriaId": "9D6885DD-230B-468B-B936-7512BE80849D"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:utah:patch_3_hotfix_1:*:*:*:*:*:*",
|
|
"matchCriteriaId": "1476C240-FCB0-43E3-9C79-2264DB6C200A"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:utah:patch_3_hotfix_1b:*:*:*:*:*:*",
|
|
"matchCriteriaId": "9783CA53-CDBD-44F0-B2B9-8C49EBE9FCB4"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:utah:patch_4:*:*:*:*:*:*",
|
|
"matchCriteriaId": "481EC1AA-5863-4641-B67F-CD51416ED0EA"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:utah:patch_4_hotfix_2a:*:*:*:*:*:*",
|
|
"matchCriteriaId": "05587BC2-574F-42B6-A121-7ACFD0691ED5"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:utah:patch_4_hotfix_2b:*:*:*:*:*:*",
|
|
"matchCriteriaId": "76D69B8D-02EE-4E3D-9F54-E94F6DB09D5B"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:utah:patch_5:*:*:*:*:*:*",
|
|
"matchCriteriaId": "8D934721-565F-4707-A32A-B7E4BB9D2DD0"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:utah:patch_6:*:*:*:*:*:*",
|
|
"matchCriteriaId": "122E0C17-B29B-44B9-A37E-745B103AD398"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:utah:patch_7:*:*:*:*:*:*",
|
|
"matchCriteriaId": "8BD49264-D243-4625-828C-AF383D826779"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:utah:patch_7a:*:*:*:*:*:*",
|
|
"matchCriteriaId": "0F601F74-593A-4566-A763-EF05E5138FA7"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:utah:patch_7b:*:*:*:*:*:*",
|
|
"matchCriteriaId": "47D4CC0E-E3F5-49AB-9D92-AC8FFB17A4C0"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:utah:patch_8:*:*:*:*:*:*",
|
|
"matchCriteriaId": "8A4CD267-D72A-4F09-BE9B-F008B1804AD9"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:utah:patch_9:*:*:*:*:*:*",
|
|
"matchCriteriaId": "26D23EE3-0F88-47F7-ADCD-B74F81A08D9B"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:utah:patch_9_hotfix_1a:*:*:*:*:*:*",
|
|
"matchCriteriaId": "38DDACA8-69A9-4047-AD99-A7DDC320EAD8"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:vancouver:-:*:*:*:*:*:*",
|
|
"matchCriteriaId": "9DB67FCA-6127-486F-A866-3D5E63B81C35"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:vancouver:patch_1:*:*:*:*:*:*",
|
|
"matchCriteriaId": "9132AB29-33C1-4825-BAD4-2804C26316B1"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:vancouver:patch_2:*:*:*:*:*:*",
|
|
"matchCriteriaId": "E8FCCFB6-DB7E-4DED-A7E0-1C03087754F5"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:vancouver:patch_2_hotfix_1a:*:*:*:*:*:*",
|
|
"matchCriteriaId": "8CFD4017-5B8E-4CAF-B9E5-4A675C11F01A"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:vancouver:patch_3:*:*:*:*:*:*",
|
|
"matchCriteriaId": "0B915FDA-9DCB-43B5-8081-F0690996A3EF"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:vancouver:patch_4:*:*:*:*:*:*",
|
|
"matchCriteriaId": "A74A3197-68F7-4303-A731-B87A8BF3F831"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:vancouver:patch_4_hotfix_1a:*:*:*:*:*:*",
|
|
"matchCriteriaId": "5F6A6F12-4D7A-4FD3-8FD6-C32D797BB810"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:vancouver:patch_4_hotfix_1b:*:*:*:*:*:*",
|
|
"matchCriteriaId": "847F9124-F3C6-4C93-9E80-544CB0580C8C"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:vancouver:patch_5:*:*:*:*:*:*",
|
|
"matchCriteriaId": "81880B84-5E9D-4B7F-B1D5-1BF8D25DAF5D"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:vancouver:patch_6:*:*:*:*:*:*",
|
|
"matchCriteriaId": "A58603E3-5AFC-4606-8F9E-1B4FF9A9B843"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:vancouver:patch_7:*:*:*:*:*:*",
|
|
"matchCriteriaId": "ABE64339-EF0B-4430-9768-FA7DE82AA61F"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:vancouver:patch_7_hotfix_1a:*:*:*:*:*:*",
|
|
"matchCriteriaId": "A3E71353-9AFF-4B6D-89BC-A2909A7C5DDF"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:vancouver:patch_7_hotfix_2a:*:*:*:*:*:*",
|
|
"matchCriteriaId": "EAA2E502-FCBC-404D-8FFA-4601F1D5B747"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:vancouver:patch_7_hotfix_2b:*:*:*:*:*:*",
|
|
"matchCriteriaId": "650956A6-8DE6-4C16-A77C-2B208B41DF5F"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:vancouver:patch_8:*:*:*:*:*:*",
|
|
"matchCriteriaId": "C641B881-7379-448A-A785-3381C72F8353"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:washington_dc:-:*:*:*:*:*:*",
|
|
"matchCriteriaId": "FFAC3BF9-2443-4C43-B67A-2BB99297D295"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:washington_dc:patch_1:*:*:*:*:*:*",
|
|
"matchCriteriaId": "444DD275-789F-4C07-9D98-BBFAA1640DB3"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:washington_dc:patch_1_hotfix_2a:*:*:*:*:*:*",
|
|
"matchCriteriaId": "1DA447CA-A6A2-436C-9909-3F0419B7DD6F"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:washington_dc:patch_2:*:*:*:*:*:*",
|
|
"matchCriteriaId": "D18E2CD1-AC8E-4ABF-88DE-D3E61A297ED1"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:servicenow:servicenow:washington_dc:patch_3:*:*:*:*:*:*",
|
|
"matchCriteriaId": "6137BB81-6B48-4DCB-A9F6-A27D869C12FC"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"references": [
|
|
{
|
|
"url": "https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1644293",
|
|
"source": "psirt@servicenow.com",
|
|
"tags": [
|
|
"Permissions Required"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1648313",
|
|
"source": "psirt@servicenow.com",
|
|
"tags": [
|
|
"Vendor Advisory"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://www.darkreading.com/cloud-security/patchnow-servicenow-critical-rce-bugs-active-exploit",
|
|
"source": "psirt@servicenow.com",
|
|
"tags": [
|
|
"Press/Media Coverage"
|
|
]
|
|
}
|
|
]
|
|
} |