CVE-2022-43684

CVSS V2 None CVSS V3 None

Description

ServiceNow has released patches and an upgrade that address an Access Control List (ACL) bypass issue in ServiceNow Core functionality. Additional Details This issue is present in the following supported ServiceNow releases: * Quebec prior to Patch 10 Hot Fix 8b * Rome prior to Patch 10 Hot Fix 1 * San Diego prior to Patch 7 * Tokyo prior to Tokyo Patch 1; and * Utah prior to Utah General Availability If this ACL bypass issue were to be successfully exploited, it potentially could allow an authenticated user to obtain sensitive information from tables missing authorization controls.

Overview

CVE ID
CVE-2022-43684

Assigner
SN

Vulnerability Status
PUBLISHED

Published Version
2023-06-13T18:51:39.984Z

Last Modified Date
2023-06-13T18:51:42.642Z

Weakness Enumerations

CWE	URL
CWE-200	http://cwe.mitre.org/data/definitions/200.html

References

Reference URL	Reference Tags
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1303489
http://seclists.org/fulldisclosure/2023/Jul/11
https://news.ycombinator.com/item?id=36638530
https://x64.sh/posts/ServiceNow-Insecure-access-control-to-admin/
http://packetstormsecurity.com/files/173354/ServiceNow-Insecure-Access-Control-Full-Admin-Compromise.html

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2022-43684
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43684

History

Created	Old Value	New Value	Data Type	Notes
2024-06-24 18:08:04				Added to TrackCVE