Authentication Bypass in PaperCut NG by PaperCut Software
CVE-2023-27351

7.5HIGH

Key Information:

Vendor: Papercut
Status: Ng
Vendor: CVE Published:; 20 April 2023

Summary

A vulnerability exists in PaperCut NG versions 22.0.5 and earlier, allowing remote attackers to bypass authentication without needing to provide valid credentials. This flaw is rooted in the SecurityRequestFilter class and arises from improper implementation of the authentication process. Exploiting this vulnerability enables unauthorized access to the system, putting sensitive information at risk.

Affected Version(s)

NG 22.0.5 (Build 63914)

References

https://www.papercut.com/kb/Main/PO-1216-and-PO-1219

https://www.zerodayinitiative.com/advisories/ZDI-23-232/

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 20, 2023
Vulnerability Reserved
Feb 28, 2023

Credit

Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative