Recent articles may have raised some concerns over a vulnerability with an out-of-box ServiceNow widget that could result in unintended data access. However, these concerns seem overstated. For one, it's important to note this research is centric to all cloud platforms, not just ServiceNow. And, secondly, the issue was proactively addressed by ServiceNow back in May 2023 - 5 months prior to the articles being published. While we don't anticipate any significant risk, we have provided some additional information and recommendations below to assure you that your company data remains safe and secure on the ServiceNow platform.
Any data that is housed on a table where the 'public' role has been given read permissions may be accessible to unauthorized users.
ServiceNow performed proactive maintenance on customer instances back in May 2023. This maintenance adjusted the behaviour of the "Simple List Widget" to prevent unauthorised access to certain data. The fix is available in Tokyo Patch 8 & 7a, Utah Patch 1a & 2, San Diego Patch 10 Hot Fix 1a (and above). Note: customised or cloned widgets were not fixed. Read the full Knowledge article (KB1279323) here.
If you suspect you are using a cloned or customised "Simple List Widget" or would like to simply review your instance to rule out a potential vulnerability, we recommend you perform the following activities:
ServiceNow diligently monitors threats and acts swiftly to protect customers - as do we. As your ServiceNow platform advisor, we will continue to share information that empowers you to utilise ServiceNow securely. In the meantime, by taking the steps shared above, you can be assured that your instance is safe from unauthorised access.