Very High
CVE-2024-4879
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2024-4879
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
ServiceNow has addressed an input validation vulnerability that was identified in Vancouver and Washington DC Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ServiceNow applied an update to hosted instances, and ServiceNow released the update to our partners and self-hosted customers. Listed below are the patches and hot fixes that address the vulnerability. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
CVE-2024-4879 is a Jelly Template injection vulnerability in ServiceNow resulting from incomplete input validation. ServiceNow’s release cycle is not numbered, but named after states and with non-canonical minor version, so determining vulnerability is somewhat more difficult.
Utah versions that are patched:
Patch 10 and hot Fix 3
Patch 10a and Hot Fix 2
Vancouver versions that are patched are:
Patch 6 Hotfix 2
Patch 7 Hotfix 3b
Patch 8 Hotfix 4
Patch 9
Patch 10
Washington releases that are patched:
Patch 1Hotfix 2b
Patch 2 Hotfix 2
Patch 3 Hotfix 1
Patch 4
Jelly templates are configuration files used by the ServiceNow system; input validation for data into the file is insufficient, allowing an unauthenticated attacker to alter the Jelly Template file to gain code execution. This vulnerability was patched July 10, but as of this week, there are still reports of numerous internet-facing hosts vulnerable to this exploit with other outlets claiming that the vulnerability is being actively exploited in the wild. It is additionally complicated by the near simultaneous release of CVE-2024-5217, which has a similar vulnerability landscape, but a different vulnerability path.
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1645154
https://www.imperva.com/blog/imperva-customers-protected-against-critical-servicenow-vulnerability/
https://www.linhttps://www.darkreading.com/cloud-security/patchnow-servicenow-critical-rce-bugs-active-exploitkedin.com/pulse/cve-2024-4879-cve-2024-5217-exposed-risks-rce-servicenow-nfmtc
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- servicenow
Products
- servicenow utah,
- servicenow vancouver,
- servicenow washington dc
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportWould you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Exploit
A PoC added here by the AKB Worker must have at least 2 GitHub stars.
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: