CVE-2023-27351
KEVPaperCut NG/MF Improper Authentication Vulnerability
7.5
HighPublished:
Last updated:
Source:zdi-disclosures@trendmicro.com
Analyzed
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- None
- Availability
- None
Description
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SecurityRequestFilter class. The issue results from improper implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19226.
References
zdi-disclosures@trendmicro.com
https://www.papercut.com/kb/Main/PO-1216-and-PO-1219zdi-disclosures@trendmicro.com
https://www.zerodayinitiative.com/advisories/ZDI-23-232/af854a3a-2127-422b-91ae-364da2661108
https://www.papercut.com/kb/Main/PO-1216-and-PO-1219af854a3a-2127-422b-91ae-364da2661108
https://www.zerodayinitiative.com/advisories/ZDI-23-232/134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-27351