PaperCut NG/MF up to 20.1.9/21.2.13/22.1.4/23.0.6 System Identifier permissive list of allowed inputs

Summaryinfo

A vulnerability was found in PaperCut NG and MF up to 20.1.9/21.2.13/22.1.4/23.0.6. It has been classified as critical. Affected by this issue is some unknown functionality of the component System Identifier Handler. This manipulation causes permissive list of allowed inputs. This vulnerability is tracked as CVE-2024-1654. The attack is possible to be carried out remotely. No exploit exists. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability classified as critical was found in PaperCut NG and MF up to 20.1.9/21.2.13/22.1.4/23.0.6. Affected by this vulnerability is an unknown code block of the component System Identifier Handler. The manipulation with an unknown input leads to a permissive list of allowed inputs vulnerability. The CWE definition for the vulnerability is CWE-183. The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

This vulnerability potentially allows unauthorized write operations which may lead to remote code execution. An attacker must already have authenticated admin access and knowledge of both an internal system identifier and details of another valid user to exploit this.

It is possible to read the advisory at papercut.com. This vulnerability is known as CVE-2024-1654 since 02/20/2024. The exploitation appears to be easy. The attack can be launched remotely. Additional levels of successful authentication are required for exploitation. The technical details are unknown and an exploit is not publicly available.

Upgrading to version 20.1.10, 21.2.14, 22.1.5 or 23.0.7 eliminates this vulnerability.

Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Vendor

• PaperCut

Name

• MF
• NG

Version

• 20.1.0
• 20.1.1
• 20.1.2
• 20.1.3
• 20.1.4
• 20.1.5
• 20.1.6
• 20.1.7
• 20.1.8
• 20.1.9
• 21.2.0
• 21.2.1
• 21.2.2
• 21.2.3
• 21.2.4
• 21.2.5
• 21.2.6
• 21.2.7
• 21.2.8
• 21.2.9
• 21.2.10
• 21.2.11
• 21.2.12
• 21.2.13
• 22.1.0
• 22.1.1
• 22.1.2
• 22.1.3
• 22.1.4
• 23.0.0
• 23.0.1
• 23.0.2
• 23.0.3
• 23.0.4
• 23.0.5
• 23.0.6

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion