PaperCut NG 22.0.5 Auth Bypass in SetupCompleted (remote, SYSTEM exec)
CVE-2023-27350 Published on April 20, 2023
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-18987.
Known Exploited Vulnerability
This PaperCut MF/NG Improper Access Control Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. PaperCut MF/NG contains an improper access control vulnerability within the SetupCompleted class that allows authentication bypass and code execution in the context of system.
The following remediation steps are recommended / required by May 12, 2023: Apply updates per vendor instructions.
Weakness Type
What is an Authorization Vulnerability?
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2023-27350 has been classified to as an Authorization vulnerability or weakness.
Products Associated with CVE-2023-27350
stack.watch emails you whenever new vulnerabilities are published in Papercut Ng or Papercut Mf. Just hit a watch button to start following.
Affected Versions
PaperCut NG Version 22.0.5 (Build 63914) is affected by CVE-2023-27350Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.