CVE-2023-27351

CVSS 8.2 HIGHEPSS 78.4%● KEVCWE-287

In short

PaperCut NG 22.0.5 has a flaw that allows attackers to skip the authentication process completely, gaining unauthorized access to the system without needing a password or credentials.

Technical detail

The SecurityRequestFilter class in PaperCut NG 22.0.5 (Build 63914) contains an improper authentication algorithm implementation that permits remote attackers to bypass authentication without credentials. The vulnerability is network-accessible and requires no pre-conditions, resulting in complete authentication bypass and unauthorized system access.

Summary generated and translated by AI from the official description.

This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SecurityRequestFilter class. The issue results from improper implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19226.

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Affected products

PaperCut · NG

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-27351 https://www.papercut.com/kb/Main/PO-1216-and-PO-1219 https://www.zerodayinitiative.com/advisories/ZDI-23-232/