Arbitrary File Creation in PaperCut NG/MF Web Print Image Handler
CVE-2024-4712

7.8HIGH

Key Information:

Vendor: Papercut
Status: Papercut Ng, Papercut Mf
Vendor: CVE Published:; 14 May 2024

What is CVE-2024-4712?

An arbitrary file creation vulnerability is present in PaperCut NG/MF impacting Windows servers with Web Print enabled. This vulnerability arises from an issue within the image-handler process that can mishandle input to create files that do not exist when supplied with specially crafted payloads. As a result, this flaw can lead to local privilege escalation, particularly in scenarios where standard network users have been granted local login access on the affected servers. Organizations utilizing PaperCut NG/MF should prioritize mitigation strategies to secure their installations.

Affected Version(s)

PaperCut NG, PaperCut MF Windows 0 < 23.0.9

References

https://www.papercut.com/kb/Main/Security-Bulletin-May-2024/

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2024

Credit

Nicholas Zubrisky (@NZubrisky) of Trend Micro Research

Papercut

What is CVE-2024-4712?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit