{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-09T14:59:21.319","vulnerabilities":[{"cve":{"id":"CVE-2025-3648","sourceIdentifier":"psirt@servicenow.com","published":"2025-07-08T16:15:57.280","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"A vulnerability has been identified in the Now Platform that could result in data being inferred without authorization. Under certain conditional access control list (ACL) configurations, this vulnerability could enable unauthenticated and authenticated users to use range query requests to infer instance data that is not intended to be accessible to them.\n\nTo assist customers in enhancing access controls, ServiceNow has introduced additional access control frameworks in Xanadu and Yokohama, such as Query ACLs, Security Data Filters and Deny-Unless ACLs.\n\nAdditionally, in May 2025, ServiceNow delivered to customers a security update that is designed to enhance customer ACL configurations.\n\nCustomers, please review the KB Articles in the References section."},{"lang":"es","value":"Se ha identificado una vulnerabilidad en Now Platform que podría provocar la inferencia de datos sin autorización. Bajo ciertas configuraciones de listas de control de acceso condicional (ACL), esta vulnerabilidad podría permitir que usuarios, tanto autenticados como no autenticados, utilicen solicitudes de consulta de rango para inferir datos de instancias a los que no deberían tener acceso. Para ayudar a los clientes a mejorar los controles de acceso, ServiceNow ha introducido marcos de control de acceso adicionales en Xanadu y Yokohama, como las ACL de consulta, los filtros de datos de seguridad y las ACL de denegación. Además, en mayo de 2025, ServiceNow entregó a sus clientes una actualización de seguridad diseñada para mejorar las configuraciones de las ACL. Consulten los artículos de la base de conocimientos en la sección de Referencias."}],"metrics":{"cvssMetricV40":[{"source":"psirt@servicenow.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"psirt@servicenow.com","type":"Secondary","description":[{"lang":"en","value":"CWE-1220"}]}],"references":[{"url":"https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2046494","source":"psirt@servicenow.com"},{"url":"https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2139567","source":"psirt@servicenow.com"},{"url":"https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2256712","source":"psirt@servicenow.com"}]}}]}