Unsecured ServiceNow Knowledge Bases Put Confidential Data at Risk

"unsecured Servicenow Knowledge Bases Put Confidential Data at Risk",

Unsecured ServiceNow Knowledge Bases Put Confidential Data at Risk

Home » News » Unsecured ServiceNow Knowledge Bases Put Confidential Data at Risk
Table of Contents

Knowledge Base Misconfigurations

There are three common misconfigurations that can put ServiceNow Knowledge Bases at risk:

  1. Using an older version of ServiceNow that allows public access by default without setting up User Criteria.
  2. Using “Any User” and “Any user for kb” User Criteria, which can grant access to unauthenticated users without administrators realizing.
  3. Not configuring denylists, which can allow external users to bypass access controls.

How Attackers Can Gain Access to the Knowledge Bases

Attackers can access misconfigured Knowledge Bases through Public Widgets, such as the “KB Article Page” widget, which displays content from specific articles. By using tools like Burp Suite, attackers can automate requests to find and access articles through the widget. The KB Article Page widget uses a predictable format for article IDs, making it easier for attackers to iterate over and identify exposed articles.

How to Secure Knowledge Bases Against Unauthorized Access

Run Regular Diagnostics on Knowledge Base Access Controls

ServiceNow’s User Criteria diagnostics tool helps administrators identify which users, both authenticated and unauthenticated, have access to Knowledge Bases and individual articles. Use /get_public_knowledge_bases.do to find public Knowledge Bases and /km_diagnostics.do for a full diagnostics tool.

Use Business Rules to Deny Unauthenticated Access by Default

Activate the “sys_id 6c8ec5147711111016f35c207b5a9969” Business Rule, which adds the Guest User to the “Cannot Read and Cannot Contribute” User Criteria for Knowledge Bases.

author avatar
roosho Senior Engineer (Technical Services)
I am Rakib Raihan RooSho, Jack of all IT Trades. You got it right. Good for nothing. I try a lot of things and fail more than that. That's how I learn. Whenever I succeed, I note that in my cookbook. Eventually, that became my blog. 
share this article.

Enjoying my articles?

Sign up to get new content delivered straight to your inbox.

Please enable JavaScript in your browser to complete this form.
Name