CVE-2021-45901

moderate-risk
Published 2022-02-10

The password-reset form in ServiceNow Orlando provides different responses to invalid authentication attempts depending on whether the username exists.

Do I need to act?

!
19.6% chance of exploitation in next 30 days
EPSS score — higher than 80% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
50741
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
NETWORK / LOW complexity

Affected Products (7)

Affected Vendors

Servicenow

References (6)

Exploit http://packetstormsecurity.com/files/165989/ServiceNow-Orlando-Username-Enumerat...
Exploit https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/servicenow-usern...
Vendor Advisory https://www.trustwave.com/en-us/resources/security-resources/security-advisories...
Exploit http://packetstormsecurity.com/files/165989/ServiceNow-Orlando-Username-Enumerat...
Exploit https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/servicenow-usern...
Vendor Advisory https://www.trustwave.com/en-us/resources/security-resources/security-advisories...
49
/ 100
moderate-risk
Severity 21/34 · High
Exploitability 14/34 · Moderate
Exposure 14/34 · Moderate