Unrated severityNVD Advisory· Published Jun 13, 2023· Updated Feb 13, 2025

ACL bypass in Reporting functionality

CVE-2022-43684

Description

ServiceNow has released patches and an upgrade that address an Access Control List (ACL) bypass issue in ServiceNow Core functionality.

Additional Details

This issue is present in the following supported ServiceNow releases:

Quebec prior to Patch 10 Hot Fix 8b
Rome prior to Patch 10 Hot Fix 1
San Diego prior to Patch 7
Tokyo prior to Tokyo Patch 1; and
Utah prior to Utah General Availability

If this ACL bypass issue were to be successfully exploited, it potentially could allow an authenticated user to obtain sensitive information from tables missing authorization controls.

Affected products

Servicenow/Now Platformv5
Range: Quebec

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

packetstormsecurity.com/files/173354/ServiceNow-Insecure-Access-Control-Full-Admin-Compromise.htmlmitre
seclists.org/fulldisclosure/2023/Jul/11mitre
news.ycombinator.com/itemmitre
support.servicenow.com/kbmitre
x64.sh/posts/ServiceNow-Insecure-access-control-to-admin/mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000