PT-2024-07: Reading arbitrary files via API in PT Application Inspector (PT AI)

HIGH

(8.4) CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L

THREATSCAPE

Analytics articles

What are the security threats on your network?

Check your traffic-for free

Request pilot

Vendor: Positive Technologies

Product: PT Application Inspector (PT AI)

Vulnerable version: 4.3.1 - 4.7.2

Vulnerability type:

- CWE-36: Absolute Path Traversal

Vulnerability vector:

- Base vulnerability score (CVSSv3.1): CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

- Severity (CVSSv3.1): 8.2 (high)

- Base vulnerability score (CVSSv4.0): CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L

- Severity (CVSSv4.0): 8.4 (high)

Description:

The vulnerability was identified in PT AI affecting versions 4.3.1 to 4.7.2.
The vulnerability can be exploited by an attacker with network access to the PT AI control server to read source code files of other user's projects. The vulnerability can be exploited for privilege escalation. Exploitation of the vulnerability requires authorization of the "developer" role or higher.

Vulnerability status: Confirmed by vendor

Date of vulnerability detection: 31.07.2024

Recommendations:

- Update to version 4.3.1.37717 or higher

- Update to version 4.7.3 or higher

Additional information: Security Bulletin

Researcher: Vsevolod Dergunov (Positive Technologies)

Vendor:

Positive Technologies

Vulnerable product:

PT Application Inspector (PT AI)

Get in touch

Fill in the form and our specialists
will contact you shortly

General
questions

We're happy to answer any questions you may have.

Partnership

Join us in making the world a safer place.

Request a pilot

Test drive our solutions with a customized pilot program.