Privilege Escalation Vulnerability
CVE-2023-6006

6.7MEDIUM

Key Information:

Vendor: Papercut
Status: Papercut Ng, Papercut Mf
Vendor: CVE Published:; 14 November 2023

Summary

This vulnerability potentially allows local attackers to escalate privileges on affected installations of PaperCut NG. An attacker must have local write access to the C Drive. In addition, Print Archiving must be enabled or the attacker needs to encounter a misconfigured system. This vulnerability does not apply to PaperCut NG installs that have Print Archiving enabled and configured as per the recommended set up procedure. This specific flaw exists within the pc-pdl-to-image process. The process loads an executable from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM

Note: This CVE has been rescored with a "Privileges Required (PR)" rating of low, and “Attack Complexity (AC)” rating of low, reflecting the worst-case scenario where an Administrator has granted local login access to standard network users on the host server.

Affected Version(s)

PaperCut NG, PaperCut MF Windows 0 < 23.0.0

References

https://www.papercut.com/kb/Main/Security-Bulletin-Novemb...

CVSS V3.1

Score:

6.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 14, 2023
Vulnerability Reserved
Nov 8, 2023

Credit

Amol Dosanjh of Trend Micro

Michael DePlante(@izobashi) of Trend Micro's ZDI