CVE-2023-27350

This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-18987.

Recent assessments:

sfewer-r7 at April 21, 2023 9:06am UTC reported:

Overview

On April 14, 2023 the Zero Day Initiative published two advisories, ZDI-23-233 aka CVE-2023-27350 and ZDI-23-232 aka CVE-2023-27351, for two vulnerabilities affecting PaperCut MF and PaperCut NG.

PaperCut have released their own advisory for these two vulnerabilities. The vulnerability CVE-2023-27350 allows an unauthenticated attacker to achieve remote code execution on a vulnerable PaperCut MF or NG Application Server and affects all versions of both products, from version 8.0 up to the patched version (as listed below). The CVE has been rated critical and has a CVSS base score of 9.8. On April 19, 2023, PaperCut updated their advisory to report that this vulnerability has been exploited in the wild.

On April 21, 2023, Huntress published technical details on the vulnerability.

Guidance

A vendor supplied patch is available and should be applied to successfully remediate the issue.

For PaperCut MF the following versions remediate the issue:

• 20.1.7

• 21.2.11

• 22.0.9

For PaperCut NG the following versions remediate the issue:

• 20.1.7

• 21.2.11

• 22.0.9

Assessed Attacker Value: 0
Assessed Attacker Value: 0Assessed Attacker Value: 0