PT-2024-04: Remote Code Execution at scan startup in PT Application Inspector (PT AI) Vendor: Positive TechnologiesProduct: PT Application Inspector (PT AI)Vulnerable version: 4.3.1 - 4.7.2Vulnerability type:- CWE-141: Improper Neutralization of Parameter/Argument DelimitersIdentifier (ID):BDU:2024-06213Vulnerability vector:- Base vulnerability score (CVSSv3.1): CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H- Severity (CVSSv3.1): 8.8 (high)- Base vulnerability score (CVSSv4.0): CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N- Severity (CVSSv4.0): 8.7 (high)Description:The vulnerability was identified in PT AI affecting versions 4.3.1 to 4.7.2. The vulnerability can be exploited by an attacker with network access to the PT AI management server to remotely execute code on the scan agent. Exploitation of the vulnerability requires authorization of the "project security manager" role or higher.Vulnerability status: Confirmed by vendorDate of vulnerability detection: 31.07.2024Recommendations: - Update to version 4.3.1.37717 or higher- Update to version 4.7.3 or higherAdditional information: Security BulletinResearcher: Vsevolod Dergunov (Positive Technologies)