- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-26-2023 03:38 AM
I was wondering if everyone is aware or can confirm what I am about to say is correct:
If you fail to add the criteria that Guest user account cannot read the knowledge base, you are at risk of external users accessing your internal knowledge by direct URL (given a permalink is an instance URL + \KB + an incremental number I am guessing it is not to hard to achieve).
This was reported on a client account, but I am not sure the security weakness is adequately documented or understood or whether I have misinterpreted the access breach or whether this has now been addressed in current/future releases.
I now always make sure Guest cannot read non-public information.
I am aware that you may want to make certain information public via an external facing KB, but I would expect ServiceNow to default to Guest = cannot access on KB creation, but on PDI that does not seem to be the case.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-26-2023 03:41 AM
Hi @jtshone
It's indeed not default.
You can check Knowledge >Administration > User Criteria Diagnostics > (Related Link) View knowledge bases accessible to unauthenticated users to see if there are knowledge bases which are not adequately protected from public, and see if this is correct for your use case.
Help others to find a correct solution by marking the appropriate response as accepted solution and helpful.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-26-2023 03:41 AM
Hi @jtshone
It's indeed not default.
You can check Knowledge >Administration > User Criteria Diagnostics > (Related Link) View knowledge bases accessible to unauthenticated users to see if there are knowledge bases which are not adequately protected from public, and see if this is correct for your use case.
Help others to find a correct solution by marking the appropriate response as accepted solution and helpful.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-26-2023 03:51 AM
Thanks for the link, I cannot help feeling that is an open door that many will not understand and one that could simply have been fixed by setting the value by default at creation. My guess is > 90% of knowledge will not be targeted externally.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-26-2023 03:57 AM
I agree.
I'm not sure, but I have a feeling that ServiceNow will start doing this differently based on the current vulnerabilities, but I can imagine it's hard to force this to current instances because you would potentially close knowledge bases which should be public.
Help others to find a correct solution by marking the appropriate response as accepted solution and helpful.
