PT-2024-08: Reading arbitrary files when scanning a project linked to a git repository in PT Application Inspector (PT AI) Vendor: Positive TechnologiesProduct: PT Application Inspector (PT AI)Vulnerable version: 4.3.1 - 4.7.2Vulnerability type:- CWE-61: UNIX Symbolic Link (Symlink) FollowingIdentifier (ID):BDU:2024-06217Vulnerability vector:- Base vulnerability score (CVSSv3.1): CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L- Severity (CVSSv3.1): 8.2 (high)- Base vulnerability score (CVSSv4.0): CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L- Severity (CVSSv4.0): 8.4 (high)Description:The vulnerability was identified in PT AI affecting versions 4.3.1 to 4.7.2. The vulnerability can be exploited by an attacker with network access to the PT AI control server to read source code files of other user's projects. The vulnerability can be exploited for privilege escalation. Exploitation of the vulnerability requires authorization of the "developer" role or higher, as well as access with modification rights to the git repository branch from which the project was created in Application Inspector.Vulnerability status: Confirmed by vendorDate of vulnerability detection: 31.07.2024Recommendations:- Update to version 4.3.1.37717 or higher- Update to version 4.7.3 or higherAdditional information: Security BulletinResearcher: Aleksey Goncharov (Positive Technologies)