CVE-2023-27351

2023-04-2016:15:07

CWE-287

[email protected]

web.nvd.nist.gov

In Wild

papercut ng

authentication bypass

vulnerability

cve-2023-27351

nvd

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

9.2

Confidence

High

EPSS

0.03

Percentile

90.9%

JSON

This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SecurityRequestFilter class. The issue results from improper implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19226.

Affected configurations

NVD

Node

papercutpapercut_mfRange15.0.0–20.1.7

papercutpapercut_mfRange21.0.0–21.2.11

papercutpapercut_mfRange22.0.0–22.0.9

papercutpapercut_ngRange15.0.0–20.1.7

papercutpapercut_ngRange21.0.0–21.2.11

papercutpapercut_ngRange22.0.0–22.0.9

CNA Affected

[
  {
    "vendor": "PaperCut",
    "product": "NG",
    "versions": [
      {
        "version": "22.0.5 (Build 63914)",
        "status": "affected"
      }
    ]
  }
]