CVE-2024-8924 HIGH

CVE-2024-8924: Unauthenticated Blind SQL Injection in Core Platform

Vendor Servicenow
Product Now Platform
Weakness CWE-89 · SQLi
Published October 29, 2024
Last update October 31, 2024
View on NVD All CVEs

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

ServiceNow has addressed a blind SQL injection vulnerability that was identified in the Now Platform. This vulnerability could enable an unauthenticated user to extract unauthorized information. ServiceNow deployed an update to hosted instances, and ServiceNow provided the update to our partners and self-hosted customers. Further, the vulnerability is addressed in the listed patches and hot fixes.

Key dates

02Disclosure timeline

October 29, 2024 CVE published
October 31, 2024 Record updated