CVE-2025-3089

ServiceNow has addressed a Broken Access Control vulnerability that was identified in the ServiceNow AI Platform. This vulnerability could allow a low privileged user to bypass access controls and perform a limited set of actions typically reserved for higher privileged users, potentially leading to unauthorized data modifications. This issue is addressed in the listed patches and family releases, which have been made available to hosted and self-hosted customers, as well as partners.

CVSS

No CVSS.

References

Link	Resource
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2264930

Configurations

No configuration.

History

13 Aug 2025, 17:34

Type	Values Removed	Values Added
Summary		(es) ServiceNow ha solucionado una vulnerabilidad de control de acceso interrumpido identificada en la plataforma de IA de ServiceNow. Esta vulnerabilidad podría permitir que un usuario con pocos privilegios eluda los controles de acceso y realice un conjunto limitado de acciones normalmente reservadas para usuarios con privilegios más altos, lo que podría provocar modificaciones no autorizadas de datos. Este problema se soluciona en los parches y versiones de la familia mencionados, que ya están disponibles para clientes alojados y autoalojados, así como para socios.

12 Aug 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-12 16:15

Updated : 2025-08-13 17:34

NVD link : CVE-2025-3089

Mitre link : CVE-2025-3089

CVE.ORG link : CVE-2025-3089

JSON object : View

Products Affected

No product.

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2025-3089", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "psirt@servicenow.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-12T16:15:27.850", "references": [{"url": "https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2264930", "source": "psirt@servicenow.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "psirt@servicenow.com", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "ServiceNow has addressed a Broken Access Control vulnerability that was identified in the ServiceNow AI Platform. This vulnerability could allow a low privileged user to bypass access controls and perform a limited set of actions typically reserved for higher privileged users, potentially leading to unauthorized data modifications.\u00a0This issue is addressed in the listed patches and family releases, which have been made available to hosted and self-hosted customers, as well as partners."}, {"lang": "es", "value": "ServiceNow ha solucionado una vulnerabilidad de control de acceso interrumpido identificada en la plataforma de IA de ServiceNow. Esta vulnerabilidad podr\u00eda permitir que un usuario con pocos privilegios eluda los controles de acceso y realice un conjunto limitado de acciones normalmente reservadas para usuarios con privilegios m\u00e1s altos, lo que podr\u00eda provocar modificaciones no autorizadas de datos. Este problema se soluciona en los parches y versiones de la familia mencionados, que ya est\u00e1n disponibles para clientes alojados y autoalojados, as\u00ed como para socios."}], "lastModified": "2025-08-13T17:34:12.350", "sourceIdentifier": "psirt@servicenow.com"}