thrunt.me Applied Cybernetics Group

July 29, 2024 · Applied Cybernetics Group

CVE-2024-5217 — ServiceNow Utah, Vancouver, and Washington DC Now Platform

ServiceNow Incomplete List of Disallowed Inputs Vulnerability

Added to KEV
2024-07-29
Federal due date
2024-08-19
Vendor
ServiceNow
Product
Utah, Vancouver, and Washington DC Now Platform
EPSS
99.9th percentile (score 0.941, as of 2026-06-08)
NVD CVSS v3.1
Ransomware use
Unknown
Upstream
https://nvd.nist.gov/vuln/detail/CVE-2024-5217

CISA short description

ServiceNow Washington DC, Vancouver, and earlier Now Platform releases contain an incomplete list of disallowed inputs vulnerability in the GlideExpression script. An unauthenticated user could exploit this vulnerability to execute code remotely.

Required action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

EPSS percentile is the FIRST.org exploit-probability ranking as of the date noted above; it moves daily. CVSS reflects NVD's analysis at time of publication.