Recent articles may have raised some concerns over a vulnerability with an out-of-box ServiceNow widget that could result in unintended data access. It's important to note this research is centric to all cloud platforms, not just ServiceNow. And, the issue was proactively addressed by ServiceNow back in May 2023 - 5 months prior to the articles being published. While we don't anticipate any significant risk, we have provided some additional information and recommendations below to ensure that your company data remains safe and secure on the ServiceNow platform.
Any data that is housed on a table where the 'public' role has been given read permissions may be accessible to unauthorized users.
ServiceNow performed proactive maintenance on customer instances back in May 2023. This maintenance adjusted the behavior of the "Simple List Widget" to prevent unauthorized access to certain data. The fix is available in Tokyo Patch 8 & 7a, Utah Patch 1a & 2, San Diego Patch 10 Hot Fix 1a (and above). Note: customized or cloned widgets were not fixed. Read the full Knowledge article (KB1279323) here.
If you suspect you are using a cloned or customized "Simple List Widget" or would like to simply review your instance to rule out a potential vulnerability, we recommend you perform the following activities:
ServiceNow diligently monitors threats and acts swiftly to protect customers - as do we. As your ServiceNow platform advisor, we will continue to share information that empowers you to utilize ServiceNow securely. In the meantime, by taking the steps shared above, you can be assured that your instance is safe from unauthorized access.