CVE-2024-8924

Summary

ServiceNow has addressed a blind SQL injection vulnerability that was identified in the Now Platform. This vulnerability could enable an unauthenticated user to extract unauthorized information. ServiceNow deployed an update to hosted instances, and ServiceNow provided the update to our partners and self-hosted customers. Further, the vulnerability is addressed in the listed patches and hot fixes.

Affected Software

VendorProductVersion RangeStatus
ServiceNowNow Platform0 < Utah Patch 10b Hot Fix 3affected
ServiceNowNow Platform0 < Vancouver Patch 8 Hot Fix 5affected
ServiceNowNow Platform0 < Vancouver Patch 9 Hot Fix 3baffected
ServiceNowNow Platform0 < Vancouver Patch 10 Hot Fix 2affected
ServiceNowNow Platform0 < Washington DC Patch 4 Hot Fix 2baffected
ServiceNowNow Platform0 < Washington DC Patch 5 Hot Fix 6affected
ServiceNowNow Platform0 < Washington DC Patch 6 Hot Fix 1affected
ServiceNowNow Platform0 < Washington DC Patch 7affected
ServiceNowNow Platform0 < Xanadu Patch 1affected

Weaknesses

  • CWE-89: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References