Listen to this Post
The CVE-2024-XXXX vulnerability exists within the ServiceNow SSoT integration plugin for Nautobot. The endpoint `/plugins/ssot/servicenow/config/` is implemented using a generic Django View class that lacks any authentication or permission decorators. When this URL is requested via a GET call, the associated view function executes without checking the user’s authentication status. The view then renders a configuration template, inadvertently exposing the configured ServiceNow public instance name (e.g., companyname.service-now.com) in the HTTP response. While the view does not handle POST requests for making changes and does not expose sensitive secrets, the mere presence of an information leak occurs because the application serves this data to any unauthenticated entity, violating the principle of default deny. The flaw is rooted in the view’s code directly returning a response without first validating the user’s session or permissions against the application’s authentication middleware.
Platform: Nautobot SSoT Plugin
Version: <3.10.0
Vulnerability: Information Disclosure
Severity: Low
date: 2024-XX-XX
Prediction: Patch available
What Undercode Say:
curl -s http://nautobot.example.com/plugins/ssot/servicenow/config/ | grep -oP 'instance_name[" :]+\K[^"]+'
In views.py, the vulnerable view class:
class ServiceNowConfigView(View):
def get(self, request):
instance_name = settings.SERVICENOW_INSTANCE
return render(request, 'ssot/servicenow_config.html', {'instance_name': instance_name})
How Exploit:
Unauthenticated HTTP GET request.
Protection from this CVE
Upgrade to v3.10.0. Implement @login_required decorator.
Impact:
Low-value info leak. Exposes instance name only.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
