PT-2024-06: Reading arbitrary files in the component Web IDE in PT Application Inspector (PT AI)

Vendor: Positive Technologies

Product: PT Application Inspector (PT AI)

Vulnerable version: 4.4 - 4.7.2

Vulnerability type:

- CWE-36: Absolute Path Traversal

Identifier (ID):

BDU:2024-06215

Vulnerability vector:

- Base vulnerability score (CVSSv3.1): CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

- Severity (CVSSv3.1): 8.2 (high)

- Base vulnerability score (CVSSv4.0): CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L

- Severity (CVSSv4.0): 8.4 (high)

Description:

The vulnerability was identified in PT AI affecting versions 4.4 to 4.7.2.
The vulnerability can be exploited by an attacker with network access to the PT AI control server to read source code files of other user's projects. Exploitation of the vulnerability requires authorization of the "developer" role or higher.

Vulnerability status: Confirmed by vendor

Date of vulnerability detection: 31.07.2024

Recommendations: Update to version 4.7.3 or higher.

Additional information: Security Bulletin

Researcher: Dmitriy Kuramin (Jet Infosystems)