ServiceNow Incomplete List of Disallowed Inputs Vulnerability

Added July 29, 2024 • Due Aug. 19, 2024 • CVE-2024-5217

Overdue ServiceNow / Utah, Vancouver, and Washington DC Now CWE-184

Description

ServiceNow Washington DC, Vancouver, and earlier Now Platform releases contain an incomplete list of disallowed inputs vulnerability in the GlideExpression script. An unauthenticated user could exploit this vulnerability to execute code remotely.

Required Action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

References

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1648313
https://nvd.nist.gov/vuln/detail/CVE-2024-5217

Additional Information

Catalog Version: 2025.01.24
Catalog Released: Jan. 24, 2025
Days Until Due: 0 days
Last Updated: 5 months, 2 weeks ago