[German]Anyone using the Papercut MF/NG print management solution under Windows should urgently patch the product. A critical RCE vulnerability CVE-2023-39143 that has just been disclosed allows PaperCut servers to be taken over. The vendor has already released a corresponding security patch to eliminate the vulnerability.
RCE vulnerability CVE-2023-39143
Vulnerability CVE-2023-39143 is located in PaperCut NG and PaperCut MF on Windows prior to version 22.1.3. These versions are vulnerable to Path Traversal. This allows attackers to read, delete, and upload arbitrary files to the print servers. The vulnerability has a CVSS score of 8.4.
This was uncovered by security researchers at Horizon AI, who describe it in the blog post CVE-2023-39143: PaperCut Path Traversal/File Upload RCE Vulnerability, dated August 4, 2023. The security researchers advise administrators who use PaperCut on Windows and the solution is accessible via the Internet to immediately patch to the latest version and read the July 2023 PaperCut security bulletin.
PaperCut Security Bulletin
PaperCut has released the PaperCut NG/MF Security Bulletin (July 2023), in which the vendor describes several security issues. In addition to the RCE vulnerability CVE-2023-39143, there is a Potential Denial of Service Issue vulnerability CVE-2023-3486 reported by Tenable. This has a CVSS score of 7.4.
Furthermore, a vulnerability (CVE-2022-21724) was found by TrendMicro in a third-party library used to support the PostgreSQL database. Attackers with administrator access to a PaperCut server could exploit this vulnerability to gain additional privileges.
PaperCut has fixed the vulnerabilities in PaperCut version 22.1.3 of its Windows print management solution. Administrators should therefore patch the installation as soon as possible. (via)
