CVE-2022-43684 - ServiceNow ACL Bypass – What You Need to Know

In late 2022, a critical security flaw, now tracked as CVE-2022-43684, was disclosed for ServiceNow – the popular cloud-based workflow automation platform. This vulnerability is a bypass of Access Control List (ACL) checks, allowing some authenticated users to access sensitive data they shouldn’t. If you’re running ServiceNow, let’s break down what this means, how to fix it, what exploitation could look like, and how to stay safe.

The Vulnerability Explained

Normally, ServiceNow’s ACLs are supposed to block users from touching records they aren’t supposed to see. But CVE-2022-43684 describes a flaw in ServiceNow’s table security logic – specifically in the core platform – that allows an authenticated user to gain unauthorized access to certain tables that are missing specific ACLs.

Utah – prior to General Availability release

If you’re running any of these or earlier, you should upgrade immediately.

> “The issue could allow an authenticated user to obtain sensitive information from tables missing the necessary authorization controls.”  
> — ServiceNow Security Advisory

Attack Scenario — How Exploitation Happens

Let’s walk through a simplified attack scenario.

Imagine your organization runs a ServiceNow instance and you haven’t patched for CVE-2022-43684 yet. You have sensitive tables (say, incident, sys_user, cmn_location). Some of your tables are missing ACLs for specific user roles.

A low-privileged, authenticated user (perhaps an intern, or someone with basic access) could

1. Enumerate Unprotected Tables – Using simple URL manipulation, browser dev tools, or ServiceNow’s REST APIs, the attacker tries to access tables they wouldn’t normally see.
2. Bypass the Missing ACLs – Due to the vulnerability, if the ACL is missing or misconfigured, ServiceNow doesn’t check correctly, and the access gets through.
3. Access Data – The attacker extracts data (user info, incident tickets, perhaps even credentials, depending on your table’s content).

Code Snippet: Example API Request

Here’s a Python example using requests library to retrieve data from a table missing proper ACL controls:

import requests

url = "https://your-instance.servicenow.com/api/now/table/sys_user";
headers = {
    "Accept": "application/json",
    "Content-Type": "application/json"
}

# Substitute with a real session cookie or use Basic Auth as needed
cookies = {
    "JSESSIONID": "YOURSESSIONID"
}

response = requests.get(url, headers=headers, cookies=cookies, verify=False)
if response.status_code == 200:
    print(response.json())
else:
    print("Access Denied or Not Vulnerable")

*Note: This is for educational and defense testing in authorized environments only!*

Real Impact

If exploited, attackers might pull usernames, emails, phone numbers, locations, and anything else in a vulnerable table. Depending on your configuration, this could breach your corporate security policy, expose users, or even escalate into a full compromise.

How to Fix

Patch your instance! ServiceNow has released patches and upgrade paths for all affected platforms. Here’s what you need:

| Platform  | Fixed in                                 |
|-----------|------------------------------------------|
| Quebec    | Patch 10 Hot Fix 8b                      |
| Rome      | Patch 10 Hot Fix 1                       |
| San Diego | Patch 7                                  |
| Tokyo     | Patch 1                                  |
| Utah      | General Availability release             |

Check your current version! Go to _System Diagnostics > Stats > Stats_ or ask your ServiceNow admin for your build info.

Defensive Tips

- Review Table ACLs: Inventory your tables and ensure you have *explicit* ACLs set, especially for custom tables and sensitive data.

Least Privilege Principle: Don’t grant more permissions than necessary.

- Apply ServiceNow Security Best Practices: See ServiceNow Security Best Practices.

More Reading

- CVE-2022-43684 – MITRE Entry  
- ServiceNow KB1061636 – Security Advisory
- Official Patch Release Notes

Summary

CVE-2022-43684 is a serious, easy-to-exploit flaw that could expose sensitive data in your ServiceNow instance to anyone with a valid login. If you’re running any of the affected versions, prioritize updates, tighten up your ACLs, and make sure you’re following ServiceNow’s recommended security posture. Don’t wait for attackers to find those open doors—secure them now.


*This post is original content based on public advisories, written in plain American English for easier understanding and defense.*

Timeline

Published on: 06/13/2023 19:15:00 UTC
Last modified on: 07/11/2023 18:15:00 UTC