CVE-2024-8924

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Oct 29, 2024 / Updated: 21d ago

010
CVSS 8.7EPSS 0.04%High
CVE info copied to clipboard

Summary

A blind SQL injection vulnerability has been identified in the ServiceNow Now Platform. This vulnerability could allow an unauthenticated user to extract unauthorized information.

Impact

This vulnerability has a high severity with a CVSS v3.1 base score of 7.5 and a CVSS v4.0 base score of 8.7. The attack vector is network-based, requires low attack complexity, and no user interaction. It has a high impact on confidentiality but no impact on integrity or availability. An unauthenticated attacker could potentially extract sensitive information from the database without detection, bypassing authentication mechanisms.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. ServiceNow has deployed an update to hosted instances and provided the update to partners and self-hosted customers. The vulnerability is addressed in specific patches and hotfixes for various versions of the Now Platform, including Vancouver and Washington DC releases.

Mitigation

1. Apply the provided patches or hotfixes immediately, prioritizing based on the high severity score. 2. For Vancouver release: Update to patch 8 or later. 3. For Washington DC release: Update to patch 5 or later. 4. If immediate patching is not possible, implement strict input validation and sanitization for all user inputs. 5. Monitor system logs for any suspicious database queries or unauthorized access attempts. 6. Conduct a thorough security assessment to identify any potential data breaches that may have occurred before patching.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

CVE Assignment

NVD published the first details for CVE-2024-8924

Oct 29, 2024 at 5:15 PM
CVSS

A CVSS base score of 7.5 has been assigned.

Oct 29, 2024 at 5:21 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-8924. See article

Oct 29, 2024 at 5:22 PM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 29, 2024 at 5:22 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.9%)

Oct 30, 2024 at 10:18 AM
Static CVE Timeline Graph

Affected Systems

Servicenow/servicenow
+null more

Patches

support.servicenow.com
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

References

CVE-2024-8924 - Unauthenticated Blind SQL Injection in Core Platform - Security
We use cookies on this site to improve your browsing experience, analyze individualized usage and website traffic, tailor content to your preferences, and make your interactions with our website more meaningful. To learn more about the cookies we use and how you can change your preferences, please read our Cookie Policy and visit our Cookie Preference Manager . By clicking “Accept and Proceed,” closing this banner or continuing to browse this site, you consent to the use of cookies.

News

ServiceNow fixes vulnerabilities in Now Platform
ServiceNow has recently addressed two critical vulnerabilities in its Now Platform that pose significant security risks to organizations. This flaw enables unauthenticated attackers to execute remote code within the platform's context, potentially granting them full control over the system, exposing sensitive data, and compromising platform integrity.
ServiceNow's Now Platform has encountered two critical vulnerabilities (CVE-2024-8923 and CVE-2024-8924) that pose serious risks to organizations by potentially allowing unauthorized access and exposing sensitive data. https:// socradar.io/servicenow-now-pla tform-vulnerabilities-cve-2024-8923/
ServiceNow Now Platform Vulnerabilities Enable RCE and SQL Injection Risks (CVE-2024-8923, CVE-2024-8924) – Patch Now
These newly disclosed flaws (CVE-2024-8923 and CVE-2024-8924) pose serious risks to organizations across industries by potentially allowing unauthorized access and exposing sensitive data. By exploiting this flaw, attackers could potentially gain unauthorized access and control within the context of the platform, posing a risk of data exposure and compromising platform integrity.
ServiceNow Now Platform Vulnerabilities Enable RCE and SQL Injection Risks (CVE-2024-8923, CVE-2024-8924) – Patch Now
ServiceNow Now Platform Vulnerabilities Enable RCE and SQL Injection Risks (CVE-2024-8923, CVE-2024-8924) – Patch Now
ServiceNow Now Platform Vulnerabilities Enable RCE and SQL Injection Risks (CVE-2024-8923, CVE-2024-8924) – Patch Now
These newly disclosed flaws (CVE-2024-8923 and CVE-2024-8924) pose serious risks to organizations across industries by potentially allowing unauthorized access and exposing sensitive data. By exploiting this flaw, attackers could potentially gain unauthorized access and control within the context of the platform, posing a risk of data exposure and compromising platform integrity.
See 12 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI