Vulnerability Details : CVE-2022-43684
ServiceNow has released patches and an upgrade that address an Access Control List (ACL) bypass issue in ServiceNow Core functionality.
Additional Details
This issue is present in the following supported ServiceNow releases:
* Quebec prior to Patch 10 Hot Fix 8b
* Rome prior to Patch 10 Hot Fix 1
* San Diego prior to Patch 7
* Tokyo prior to Tokyo Patch 1; and
* Utah prior to Utah General Availability
If this ACL bypass issue were to be successfully exploited, it potentially could allow an authenticated user to obtain sensitive information from tables missing authorization controls.
Vulnerability category: Information leak
Products affected by CVE-2022-43684
- cpe:2.3:a:servicenow:servicenow:san_diego:patch_6:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:san_diego:patch_4:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:san_diego:patch_4a:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:san_diego:patch_3:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:san_diego:patch_2_hotfix_1:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:san_diego:patch_2:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:san_diego:patch_1_hotfix_1b:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:san_diego:patch_1_hotfix_1a:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:san_diego:patch_1_hotfix_1:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:san_diego:patch_1:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:rome:patch_1:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:rome:patch_2:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:rome:patch_3:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:rome:patch_4:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:san_diego:patch_3_hotfix_1:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:san_diego:patch_3_hotfix_2:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:san_diego:patch_3_hotfix_3:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:san_diego:patch_3_hotfix_4:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:quebec:patch_10:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:utah:-:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:rome:patch_1_hotfix_1:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:rome:patch_1_hotfix_1b:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:rome:patch_1_hotfix_2:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:rome:patch_1_hotfix_3:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:rome:patch_2_hotfix_1:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:rome:patch_2_hotfix_2:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:rome:patch_3_hotfix_1:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:rome:patch_4_hotfix_1:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:rome:patch_4_hotfix_1a:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:rome:patch_4_hotfix_1b:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:rome:patch_5:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:rome:patch_5_hotfix_1:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:rome:patch_5_hotfix_2:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:rome:patch_6:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:rome:patch_7:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:rome:patch_6_hotfix_1:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:rome:patch_6_hotfix_2:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:rome:patch_7_hotfix_1:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:rome:patch_7a:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:rome:patch_7b:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:rome:patch_8:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:rome:patch_8_hotfix_1:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:rome:patch_8_hotfix_2:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:rome:patch_9:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:rome:patch_9a:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:rome:patch_9b:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:rome:patch_9_hotfix_1:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:rome:patch_10:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:san_diego:patch_4b:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:tokyo:-:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:san_diego:patch_5:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:rome:patch_1_hotfix_1a:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:quebec:patch_1_hotfix_1:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:quebec:patch_2:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:quebec:patch_2_hotfix_1:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:quebec:patch_2_hotfix_2:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:quebec:patch_3:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:quebec:patch_4:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:quebec:patch_4_hotfix_2:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:quebec:patch_5:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:quebec:patch_6:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:quebec:patch_7:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:quebec:patch_8:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:quebec:patch_9:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:quebec:patch_10_hotfix_3:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:quebec:patch_10_hotfix_3a:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:quebec:patch_10_hotfix_3b:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:quebec:patch_10_hotfix_4:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:san_diego:patch_10_hotfix_1:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:san_diego:patch_10_hotfix_1a:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:san_diego:patch_10_hotfix_1b:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:san_diego:patch_10_hotfix_2:*:*:*:*:*:*
- cpe:2.3:a:servicenow:servicenow:san_diego:patch_10_hotfix_2b:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-43684
0.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 44 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-43684
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
NIST | |
9.9
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
3.1
|
6.0
|
ServiceNow |
CWE ids for CVE-2022-43684
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: psirt@servicenow.com (Secondary)
-
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-43684
-
http://packetstormsecurity.com/files/173354/ServiceNow-Insecure-Access-Control-Full-Admin-Compromise.html
ServiceNow Insecure Access Control / Full Admin Compromise ≈ Packet Storm
-
https://x64.sh/posts/ServiceNow-Insecure-access-control-to-admin/
ServiceNow Insecure Access Control To Full Admin Takeover | R3zk0n
-
http://seclists.org/fulldisclosure/2023/Jul/11
Full Disclosure: ServiceNow Account Takeover to Full Admin Compromise
-
https://news.ycombinator.com/item?id=36638530
ServiceNow Insecure Access Control to Full Admin Takeover | Hacker News
-
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1303489
[Security Advisory] CVE-2022-43684 - ACL bypass in Reporting functionality - Global Security Support Center (GSSC)Vendor Advisory
Jump to