Chaining Three Bugs to Access All Your ServiceNow Data (Live

Chaining Three Bugs to Access All Your ServiceNow Data (Live Q&A)

Listen now

Description

On May 14th, 2024, we disclosed a chain of vulnerabilities to ServiceNow, resulting in 3 new CVEs. This series of security issues affected all Vancouver and Washington ServiceNow instances (around 42,000 globally), allowing an attacker to execute code on the instance. In this live Q&A, Assetnote security researcher Adam Kues explains his approach to how he found these vulnerabilities, highlighted in our recent research post. He is joined by hosts, Michael Gianarakis and Shubham Shah. Congratulations to Adam on being credited with CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217! To learn more about Assetnote, visit https://www.assetnote.io/.

More Episodes

See all »

Maximizing Security Outcomes: The Role of ASM in Bug Bounty Programs

Running an effective bug bounty program requires balancing an attractive scope and payout to hunters with an attack surface that challenges hunters to do more than automated scans. Program managers want to pay for skillful findings, not automated ones. In this episode, we talk about how ASM helps...

Published 10/10/24

Surfacing Security

Published 10/10/24

Internet-Wide Recon: Moving Past IP-Centric Approaches

In this episode, we discuss the blindspots of IP-centric approaches to asset discovery and the importance of understanding the full attack surface of an organization. We unpack the challenges posed by modern cloud architectures, load balancers, and WAFs, and how these can create blind spots in...

Published 10/02/24