AppTrana Overview

Start Free with Advance Plan

AppTrana

Billing

CDN

Dashboard

Detect page

Monitor page

Protect page

API Discovery Feature

API Request to Purge CDN Data

API Scan Coverage for OWASP Top 10

ASN based IP Whitelisting

Advanced Behavioral DDoS

Analysis page - Access Trend Visualization

Analysis page - Attack Trend Visualisation

Asset Discovery

BOT Protection

Browser Protection

Configure Custom Error Pages in AppTrana

Configuring Custom Error Page in AppTrana

Configuring Custom Error and Maintenance Pages in AppTrana WAAP

Custom Bot Configuration

Customize Application Behavior with Bot Score

DNS Management

Enable and Configure Single Sign-On

Enabling SIEM Integration

False Positive Analysis Report on WAAP

Malware Scanning for File Uploads

Manage WAAP Email Alerts

Origin Health Check Mechanism

Restricted Admin User

Self Service Rules

SwyftComply

WAF Automated Bypass and Unbypass

Whitelist Vulnerabilities on the AppTrana WAAP

Add Application

Analysis

AppTrana API Protection - OWASP Top 10 of 2019

Apptrana Protection WAF Rules Coverage

Change Plan

Dashboard

Detect

How to Connect Your SIEM to AppTrana

Indusface Partner APIs

Manage

Monitor

Overview

Process of Mapping Alias Domain

Profile

Protect

Settings

Onboard into Indusface WAS

SAML Integration with Azure for Single Sign-On

API Security Audit

Application Audit[AA]

Asset Monitoring

Dashboard

Malware Monitoring[MM]

New Reporting Structure

Reports

Settings

Summary

Vulnerability Assessment[VA]

Reports and Settings

Summary & Dashboard

Website Settings

API Key Based - Scan Log Export

AcuRisQ – Risk Management with Advanced Risk Scoring

SIEM Integration with Sumo Logic

WAS Consulting License

WAS Defacement Checks

Indusface WAS Scanned Vulnerabilities

Indusface Product Newsletter - August 19

Indusface Product Newsletter - February 2023

Indusface Product Newsletter - June 20

Indusface Product Newsletter - March 2022

Indusface Product Newsletter - October 19

Indusface Product Newsletter - October 2021

Indusface Product Newsletter- April 2021

Indusface Product Newsletter- October 2022

Indusface Product Newsletter-January21

Product Newsletter of February 18

Product Newsletter of January 18

Product Newsletter of January 19

Product Newsletter of July 18

Product Newsletter of March 18

Product Newsletter of March 19

Product Newsletter of May 18

Product Newsletter of May 19

WAF Portal Revamp June 18

Vulnerability Report of April 23

Vulnerability Report of August 23

Vulnerability Report of December 23

Vulnerability Report of February 23

Vulnerability Report of January 23

Vulnerability Report of July 23

Vulnerability Report of June 23

Vulnerability Report of March 23

Vulnerability Report of May 23

Vulnerability Report of November 23

Vulnerability Report of October 23

Vulnerability Report of September 23

CRS Vs Zero Day Vulnerabilities - August 2016

CRS vs Zero Day Vulnerability - September 2016

CRS vs. Zero Day Vulnerability - December 2016

CRS vs. Zero Day Vulnerability - November 2016

CRS vs. Zero Day Vulnerability - October 2016

Vulnerability report for Apr 3rd - Apr 9th 17

Vulnerability report for April 17th - Apr 23rd 17

Vulnerability report of April 10th - April 16th

Vulnerability report for 27th Feb - 5th Mar

Vulnerability report for Mar 13th - Mar 19th

Vulnerability report for Mar 20th - Mar 26th

Vulnerability report for Mar 27th - Apr 2nd

Vulnerability report for Mar 6th - Mar 12th

Vulnerability report for 30th Jan - 19th Feb

Vulnerabilities detected from 2nd Jan - 8th Jan

Vulnerability report from 16th Jan - 29th Jan

Vulnerability Report of August 17

Vulnerability Report of December 17

Vulnerability Report of July 17

Vulnerability Report of June 17

Vulnerability Report of May 17

Vulnerability Report of November 17

Vulnerability Report of October 17

Vulnerability Report of September 17

Vulnerability Report of April 18

Vulnerability Report of August 18

Vulnerability Report of December 18

Vulnerability Report of February 18

Vulnerability Report of January 18

Vulnerability Report of July 18

Vulnerability Report of June 18

Vulnerability Report of March 18

Vulnerability Report of November 18

Vulnerability Report of October 18

Vulnerability Report of September 18

Vulnerability Reports of May 18

Vulnerability Report of April 19

Vulnerability Report of August 19

Vulnerability Report of December 19

Vulnerability Report of February 19

Vulnerability Report of January 19

Vulnerability Report of July 19

Vulnerability Report of June 19

Vulnerability Report of March 19

Vulnerability Report of May 19

Vulnerability Report of November 19

Vulnerability Report of October 19

Vulnerability Report of September 19

Vulnerability Report of April 20

Vulnerability Report of December 20

Vulnerability Report of February 20

Vulnerability Report of January 20

Vulnerability Report of July 20

Vulnerability Report of June 20

Vulnerability Report of March 20

Vulnerability Report of May 20

Vulnerability Report of November 20

Vulnerability Report of October 20

Vulnerability Report of Sep 20

Vulnerability Report of April 21

Vulnerability Report of August 21

Vulnerability Report of December 21

Vulnerability Report of February 21

Vulnerability Report of January 21

Vulnerability Report of July 21

Vulnerability Report of June 21

Vulnerability Report of March 21

Vulnerability Report of May 21

Vulnerability Report of November 21

Vulnerability Report of October 21

Vulnerability Report of September 21

Vulnerability Report of April 22

Vulnerability Report of August 22

Vulnerability Report of February 22

Vulnerability Report of January 22

Vulnerability Report of July 22

Vulnerability Report of June 22

Vulnerability Report of March 22

Vulnerability Report of May 22

Vulnerability Report of November 22

Vulnerability Report of October 22

Vulnerability Report of September 22

Zero-Day Vulnerability Report - December 2022

Vulnerability Report of April 2024

Vulnerability Report of August 2024

Vulnerability Report of February 2024

Vulnerability Report of January 2024

Vulnerability Report of July 2024

Vulnerability Report of June 2024

Vulnerability Report of March 2024

Vulnerability Report of May 2024

CVE-2024-1071 – Critical Vulnerability in Ultimate Member WordPress Plugin

CVE-2024-4577 – A PHP CGI Argument Injection Vulnerability in Windows Servers

CVE-2024-4879 & CVE-2024-5217 Exposed - The Risks of RCE in ServiceNow

CVE-2024-8517 – Unauthenticated Remote Code Execution in SPIP

Critical Apache OFBiz Zero-day AuthBiz (CVE-2023-49070 and CVE-2023-51467)

Hotjar's OAuth+XSS Flaw Exposes Millions at Risk of Account Takeover

ScreenConnect Authentication Bypass (CVE-2024-1709 & CVE-2024-1708)

Adobe ColdFusion Vulnerabilities Exploited in the Wild

Apache Struts 2 Vulnerability CVE-2023-50164 Exposed

Apache log4j RCE vulnerability

ApacheStructs_VG

CVE-2024-8190 – OS Command Injection in Ivanti CSA

HTTP/2 Rapid Reset Attack Vulnerability

Multiple Moveit Transfer Vulnerabilities

Oracle WebLogic Server Deserialization

Remote Unauthenticated API Access Vulnerabilities in Ivanti

Unpacking the Zimbra Cross-Site Scripting Vulnerability(CVE-2023-37580)

ServiceNow Vulnerabilities – Overview
CVE-2024-4879: Jelly Template Injection Vulnerability
CVE-2024-5217: Incomplete Input Validation in GlideExpression Script
CVE-2024-5178: Incomplete Input Validation in SecurelyAccess API

All Categories
Security Bulletin

Vulnerabilities 2024

CVE-2024-4879 & CVE-2024-5217 Exposed - The Risks of RCE in ServiceNow

CVE-2024-4879 & CVE-2024-5217 Exposed - The Risks of RCE in ServiceNow

Updated 2 months ago by Rama Sadhu

ServiceNow Vulnerabilities – Overview
CVE-2024-4879: Jelly Template Injection Vulnerability
CVE-2024-5217: Incomplete Input Validation in GlideExpression Script
CVE-2024-5178: Incomplete Input Validation in SecurelyAccess API

Recent critical vulnerabilities in ServiceNow, a widely used cloud platform, have put numerous organizations at risk of data breaches. Threat actors are exploiting these input validation flaws, enabling remote code execution and unauthorized access.

Despite recent fixes, government agencies, data centers, and private firms remain targeted.

This blog highlights how these flaws are exploited for data theft and outlines security measures to mitigate these risks.

ServiceNow Vulnerabilities – Overview

ServiceNow addressed several critical vulnerabilities on July 10, 2024, including CVE-2024-4879 and CVE-2024-5217, both of which are input validation flaws that allow remote code execution (RCE). A less severe flaw, CVE-2024-5178, was also addressed.

Despite the release of security updates by the vendor on July 10, 2024, many systems remain vulnerable to attacks.

CVE-2024-4879: Jelly Template Injection Vulnerability

This critical vulnerability affects the Vancouver and Washington DC versions of ServiceNow. It involves a jelly template injection flaw that allows unauthenticated remote attackers to execute arbitrary code within the platform. The issue arises from improper input validation, leading to severe security risks.

Risk Analysis

Severity: Critical

CVSSv4.0 : Base Score: 9.3 CRITICAL

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVSSv3.1: Base Score: 9.8 CRITICAL

Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploit available in public: Yes.

Exploit complexity: Low

Release	Fixed Version
Utah	Utah Patch 10 Hot Fix 3Utah Patch 10a Hot Fix 2
Vancouver	Vancouver Patch 6 Hot Fix 2Vancouver Patch 7 Hot Fix 3bVancouver Patch 8 Hot Fix 4Vancouver Patch 9Vancouver Patch 10
Washington	Washington DC Patch 1 Hot Fix 2bWashington DC Patch 2 Hot Fix 2Washington DC Patch 3 Hot Fix 1Washington DC Patch 4

CVE-2024-5217: Incomplete Input Validation in GlideExpression Script

This critical vulnerability is present in the Vancouver and Washington DC versions of ServiceNow. It is caused by incomplete input validation in the GlideExpression script, allowing unauthenticated remote code execution.

Risk Analysis

Severity: Critical

CVSSv4.0 : Base Score: 9.2 Critical

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVSSv3.1: Base Score: 9.8 Critical

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploit available in public: Yes.

Exploit complexity: Low

Release	Fixed Version
Utah	Utah Patch 10 Hot Fix 3Utah Patch 10a Hot Fix 2Utah Patch 10b Hot Fix 1
Vancouver	Vancouver Patch 6 Hot Fix 2Vancouver Patch 7 Hot Fix 3bVancouver Patch 8 Hot Fix 4Vancouver Patch 9 Hot Fix 1Vancouver Patch 10
Washington	Washington DC Patch 1 Hot Fix 3bWashington DC Patch 2 Hot Fix 2Washington DC Patch 3 Hot Fix 2Washington DC Patch 4Washington DC Patch 5

CVE-2024-5178: Incomplete Input Validation in SecurelyAccess API

This medium-severity vulnerability impacts the Washington DC, Vancouver, and Utah versions of ServiceNow. It involves incomplete input validation in the SecurelyAccess API, which can lead to unauthorized access to sensitive files by administrative users.

Risk Analysis

Severity: Medium

CVSSv4.0 : Base Score: 6.9 Medium

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CVSSv3.1: Base Score: 4.9 Medium

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Exploit available in public: Yes.

Exploit complexity: Low

Release	Fixed Version
Utah	Utah Patch 10 Hot Fix 3Utah Patch 10a Hot Fix 2Utah Patch 10b Hot Fix 1
Vancouver	Vancouver Patch 6 Hot Fix 2Vancouver Patch 7 Hot Fix 3bVancouver Patch 8 Hot Fix 4Vancouver Patch 9 Hot Fix 1Vancouver Patch 10
Washington	Washington DC Patch 1 Hot Fix 3bWashington DC Patch 2 Hot Fix 2Washington DC Patch 3 Hot Fix 2Washington DC Patch 4

Exploitation Details

Attackers are actively exploiting critical vulnerabilities in ServiceNow to infiltrate systems and steal data. The process begins with reconnaissance, where attackers use tools like FOFA and Shodan to identify vulnerable ServiceNow instances.

They then employ automated tools to inject payloads into exposed endpoints, testing for RCE by exploiting flaws such as CVE-2024-4879 and CVE-2024-5217. Upon confirming a vulnerability, attackers execute arbitrary code to establish control, often by opening a reverse shell.

They chain multiple vulnerabilities together, such as CVE-2024-4879 with CVE-2024-5217 and CVE-2024-5178, to gain full database access and bypass security mechanisms. With database access, attackers enumerate users and extract sensitive information, including hashed and plaintext credentials, which are then exfiltrated.

To maintain access, attackers deploy backdoors and modify configurations, ensuring continued control over the compromised system.

Mitigation Steps

To protect against these vulnerabilities, organizations should:

Apply the Latest Patches and Hotfixes: Ensure all instances are updated with the security patches provided by ServiceNow.
Monitor Systems for Unusual Activity: Set up monitoring for suspicious activity related to these vulnerabilities.
Use Multi-Factor Authentication: Enhance security by implementing multi-factor authentication.
Regularly Review and Update Security Protocols: Ensure robust protection against emerging threats by keeping security protocols up to date.

AppTrana WAAP Coverage for ServiceNow Flaws

AppTrana WAAP customers receive built-in protection against these critical vulnerabilities. Our managed service team has implemented specific security rules to mitigate the risk of exploitation related to the identified CVEs:
SQL Injection Protection: Safeguards database integrity and prevents unauthorized data access.
Cross-site Scripting (XSS) Protection: Prevents unauthorized code execution and data leakage.

These rules are designed to provide comprehensive security and help prevent potential exploitation of ServiceNow vulnerabilities.

Table of Contents

CVE-2024-4879 & CVE-2024-5217 Exposed - The Risks of RCE in ServiceNow

ServiceNow Vulnerabilities – Overview

CVE-2024-4879: Jelly Template Injection Vulnerability

CVE-2024-5217: Incomplete Input Validation in GlideExpression Script

CVE-2024-5178: Incomplete Input Validation in SecurelyAccess API

Exploitation Details

Mitigation Steps

AppTrana WAAP Coverage for ServiceNow Flaws

How did we do?

CVE-2024-4577 – A PHP CGI Argument Injection Vulnerability in Windows Servers

CVE-2024-8517 – Unauthenticated Remote Code Execution in SPIP

You might also want to read

ScreenConnect Authentication Bypass (CVE-2024-1709 & CVE-2024-1708)

Apache Struts 2 Vulnerability CVE-2023-50164 Exposed

Critical Apache OFBiz Zero-day AuthBiz (CVE-2023-49070 and CVE-2023-51467)

Table of Contents

ServiceNow Vulnerabilities – Overview

CVE-2024-4879: Jelly Template Injection Vulnerability

CVE-2024-5217: Incomplete Input Validation in GlideExpression Script

CVE-2024-5178: Incomplete Input Validation in SecurelyAccess API

Exploitation Details

Mitigation Steps

AppTrana WAAP Coverage for ServiceNow Flaws

How did we do?

CVE-2024-4577 – A PHP CGI Argument Injection Vulnerability in Windows Servers

CVE-2024-8517 – Unauthenticated Remote Code Execution in SPIP

You might also want to read

ScreenConnect Authentication Bypass (CVE-2024-1709 & CVE-2024-1708)

Apache Struts 2 Vulnerability CVE-2023-50164 Exposed

Critical Apache OFBiz Zero-day AuthBiz (CVE-2023-49070 and CVE-2023-51467)

Contact