ACL bypass in Reporting functionality
CVE-2022-43684

6.5MEDIUM

Key Information:

Vendor: Servicenow
Status: Now Platform
Vendor: CVE Published:; 13 June 2023

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2022-43684?

An Access Control List (ACL) bypass vulnerability exists in ServiceNow's core functionality, affecting several releases. If exploited, this vulnerability allows authenticated users to access sensitive information from tables that lack proper authorization controls. The issue has been addressed through patches and upgrades provided by ServiceNow, targeting specific versions in the Quebec, Rome, San Diego, Tokyo, and Utah release series. It is crucial for organizations using these versions to apply the necessary updates to secure their data.

Affected Version(s)

Now Platform Quebec

Now Platform Rome

Now Platform San Diego

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2022-43684
Created by lolminerxmrig

References

https://support.servicenow.com/kb?id=kb_article_view&sysp...

http://seclists.org/fulldisclosure/2023/Jul/11

https://news.ycombinator.com/item?id=36638530

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Jul 5, 2023
👾
Exploit known to exist
Jul 5, 2023
Vulnerability published
Jun 13, 2023
Vulnerability Reserved
Oct 24, 2022

Credit

Luke Symons

Tony Wu

Eldar Marcussen

Gareth Phillips

Jeff Thomas

Nadeem Salim

Stephen Bradshaw

Servicenow