![]() Thanks to the team at TrendMicro that demonstrated that PaperCut could be potentially susceptible to this third party dependency issue. Someone who already has administrator access to a PaperCut server could use this exploit to gain further privileges. Third Party Library Update (ZDI-CAN-21013)Ī vulnerability was found in a third party dependency used to support the PostgreSQL database (CVE-2022-21724). Update: Horizon3.ai released their disclosure on 5th August 2023:ĬVE-2023-39143: PaperCut Path Traversal/File Upload RCE Vulnerability ![]() Note: Horizon3.ai are looking to publicly disclose additional information in the upcoming weeks. This vulnerability has been rated with a CVSS score of 8.4:ĪV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H/E:P/RL:O/RC:C It is probably some of the most in-depth research that has ever been applied to PaperCut. We would like to acknowledge their sophisticated research methods as finding and demonstrating the issue required chaining multiple complex steps together. The PaperCut development team would like to thank Naveen and the research team at Horizon3.ai. The Horizon3.ai team has worked with PaperCut to mitigate and validate our fixes. The security research team at Horizon3.ai carried out complex security research to identify two path traversal vulnerabilities which could be potentially leveraged to read and write arbitrary files. Chained Path Traversal in Authenticated API (CVE-2023-39143) Update: Tenable released their public disclosure on 28th August 2023, titled Note: Tenable are looking to publicly disclose additional information in the upcoming weeks. This vulnerability has been rated with a CVSS score of 7.4:ĪV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H/E:P/RL:O/RC:C This issue is also known as “TRA-2023-23” by Tenable. This could be used to fill up the server’s hard disk and prevent the PaperCut server from operating as expected. We want to thank the security researchers at Tenable who reported a means that could allow an unauthenticated attacker with direct server IP access to upload arbitrary files into a target directory. Security Issues Addressed Potential Denial of Service Issue (CVE-2023-3486) In particular we would like to thank Naveen Sunkavally and the team at Horizon 3, researchers at Trend Micro and researchers from Tenable, Inc. PaperCut would like to thank the infosec community who have assisted with our continued security uplift for PaperCut NG/MF over the last few months. ![]() We recommend all customers plan an upgrade to this release. For other Security vulnerability and Security bulletin information, see our Security vulnerability information and common security questions page.įollowing on from our previous 22.1.1 security hardening release, PaperCut NG and PaperCut MF 22.1.3 contains patches to address vulnerabilities identified through our security uplift program, which includes internal pen testing, code audits as well as engagement with industry leading partners in the infosec community.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |