Vendor: Positive Technologies

Product: PT Application Inspector (PT AI)

Vulnerable version: 4.3.1 - 4.7.2

Vulnerability type:

- CWE-59: Improper Link Resolution Before File Access ('Link Following')

Vulnerability vector:

- Base vulnerability score (CVSSv3.1): CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

- Severity (CVSSv3.1): 6.3 (medium)

- Base vulnerability score (CVSSv4.0): CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

- Severity (CVSSv4.0): 7.0 (high)

Description:

The vulnerability was identified in PT AI affecting versions 4.3.1 to 4.7.2.
The vulnerability can be exploited by an attacker with network access to the PT AI control server to create arbitrary files (without the ability to overwrite existing files). Exploitation of the vulnerability requires authorization of the "Project Security Manager" role or higher.

Vulnerability status: Confirmed by vendor

Date of vulnerability detection: 31.07.2024

Recommendations:

- Update to version 4.3.1.37717 or higher

- Update to version 4.7.3 or higher

Additional information: Security Bulletin

Researcher: Aleksey Goncharov (Positive Technologies)