Username Enumeration Vulnerability in ServiceNow Orlando by ServiceNow
CVE-2021-45901

5.3MEDIUM

Key Information:

Vendor: Servicenow
Status: Servicenow
Vendor: CVE Published:; 10 February 2022

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 29%

What is CVE-2021-45901?

The password-reset functionality in ServiceNow Orlando exhibits a username enumeration vulnerability. This flaw allows attackers to determine the existence of user accounts based on different response behaviors provided during authentication attempts. Specifically, when an invalid username is entered, the application reveals whether the username is valid based on the responses from the server. This can potentially allow malicious users to compile a list of existing usernames within the system, increasing the risk of targeted attacks.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2021-45901
Created by 9lyph

References

https://www.trustwave.com/en-us/resources/security-resour...

x_refsource_MISC

https://www.trustwave.com/en-us/resources/blogs/spiderlab...

x_refsource_MISC

http://packetstormsecurity.com/files/165989/ServiceNow-Or...

x_refsource_MISC

EPSS Score

29% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 10, 2022
Vulnerability Reserved
Dec 27, 2021
🟡
Public PoC available
Sep 1, 2021
👾
Exploit known to exist
Sep 1, 2021

Servicenow

Badges

What is CVE-2021-45901?

Exploit Proof of Concept (PoC)

References

EPSS Score

CVSS V3.1

Timeline