CVE-2025-0337

Published Mar 6, 2025

Last updated 4 days ago

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2025-0337 is an authorization bypass vulnerability found in ServiceNow's Now Platform. Exploitation allows authenticated users to access data within the platform that they would not normally be authorized to view. This vulnerability affects the Washington release of the Now Platform and was identified by Justin Hocquel. Patches addressing this vulnerability have been released and are available for hosted and self-hosted customers, as well as partners. These include Washington DC Patch 9, Xanadu Patch 4, and the Yokohama General Availability (Patch 1) release. Users are strongly encouraged to update their systems to mitigate the risk of exploitation.

Description: ServiceNow has addressed an authorization bypass vulnerability that was identified in the Washington release of the Now Platform. This vulnerability, if exploited, potentially could enable an authenticated user to access unauthorized data stored within the Now Platform that the user otherwise would not be entitled to access. This issue is addressed in the listed patches and family release, which have been made available to hosted and self-hosted customers, as well as partners.
Source: psirt@servicenow.com
NVD status: Received

Risk scores

CVSS 4.0

Type: Secondary
Base score: 7.1
Impact score: -
Exploitability score: -
Vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity: HIGH

CVSS 3.1

Type: Secondary
Base score: 6.5
Impact score: 3.6
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Severity: MEDIUM

Weaknesses

psirt@servicenow.com: CWE-639

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score: 1