Critical Bugs Found in PaperCut Allow RCEVulnerability Could Allow Attackers to Read, Delete or Upload Arbitrary Files
A recently identified security vulnerability in PaperCut print management software holds the potential for high-severity outcomes and could let unauthorized hackers run code remotely.
The flaw, tracked as CVE-2023-39143, is a path traversal or file upload remote code execution vulnerability that involves the manipulation of file paths within the software's code.
Naveen Sunkavally of Horizon3.ai in a security advisory said this vulnerability could allow an attacker to navigate outside the intended directory structure and access, delete or upload arbitrary files on the application server.
The software is used in a wide array of environments ranging from universities with large printer fleets supporting over 100,000 users to smaller organizations that track printing for fewer than 50 users on three or four printers, according to the company website.
PaperCut released PaperCut NG/MF version 22.1.3 and urged users to upgrade directly to this release from any previous version of PaperCut NG/MF. The flaw affects PaperCut NG and MF print management software running on Windows prior to version 22.1.3.
According to the cybersecurity company, the scenario in which an uploaded file could lead to remote code execution becomes feasible when the default-enabled external device integration setting is active. This default setting is turned on in certain installations of PaperCut.
"We estimate that the vast majority of PaperCut installations are running on Windows with the external device integration setting turned on," Sunkavally said.
Ransomware hackers previously targeted PaperCut installations with administrator access and used them to gain further privileges. In April, an affiliate of the Russian-speaking Clop ransomware-as-a-service gang and the LockBit cybercrime group each actively exploited vulnerabilities in PaperCut (see: Ransomware Hackers Exploit PaperCut Bugs).