Lucene search
PRIOn knowledge basePRION:CVE-2022-43684HistoryJun 13, 2023 - 7:15 p.m.
Authorization
2023-06-1319:15:00
PRIOn knowledge base
www.prio-n.com
2
servicenow
acl bypass
patches
upgrade
access control list
authorization controls
ServiceNow has released patches and an upgrade that address an Access Control List (ACL) bypass issue in ServiceNow Core functionality.
Additional Details
This issue is present in the following supported ServiceNow releases:
- Quebec prior to Patch 10 Hot Fix 8b
- Rome prior to Patch 10 Hot Fix 1
- San Diego prior to Patch 7
- Tokyo prior to Tokyo Patch 1; and
- Utah prior to Utah General Availability
If this ACL bypass issue were to be successfully exploited, it potentially could allow an authenticated user to obtain sensitive information from tables missing authorization controls.
References
packetstormsecurity.com/files/173354/ServiceNow-Insecure-Access-Control-Full-Admin-Compromise.html
seclists.org/fulldisclosure/2023/Jul/11
news.ycombinator.com/item?id=36638530
support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1303489
x64.sh/posts/ServiceNow-Insecure-access-control-to-admin/
Related
cvelist
cvelist
CVE-2022-43684 ACL bypass in Reporting functionality
2023-06-13 18:51:39
nvd
nvd
CVE-2022-43684
2023-06-13 19:15:09
cve
cve
CVE-2022-43684
2023-06-13 19:15:09
githubexploit
githubexploit
Exploit for Exposure of Resource to Wrong Sphere in Servicenow
2023-07-05 20:53:42