CVE-2023-31046

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

A Path Traversal vulnerability exists in PaperCut NG before 22.1.1 and PaperCut MF before 22.1.1. Under specific conditions, this could potentially allow an authenticated attacker to achieve read-only access to the server's filesystem, because requests beginning with "GET /ui/static/..//.." reach getStaticContent in UIContentResource.class in the static-content-files servlet.

Existe una vulnerabilidad de Path Traversal en PaperCut NG anterior a 22.1.1 y PaperCut MF anterior a 22.1.1. En condiciones específicas, esto podría permitir que un atacante autenticado obtenga acceso de solo lectura al sistema de archivos del servidor, porque las solicitudes que comienzan con "GET /ui/static/..//.." alcanza getStaticContent en UIContentResource.class en el servlet static-content-files.

*Credits: N/A

CVSS Scores

NISTv3.1 6.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-04-24 CVE Reserved
2023-10-19 CVE Published
2024-09-13 CVE Updated
2024-09-18 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CAPEC

References (4)

URL	Tag	Source
https://research.aurainfosec.io/disclosure/papercut	Third Party Advisory
https://web.archive.org/web/20230814061444/https://research.aurainfosec.io/disclosure/papercut	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://www.papercut.com/kb/Main/PO-1216-and-PO-1219#security-notifications	2023-10-26
https://www.papercut.com/kb/Main/SecurityBulletinJune2023	2023-10-26

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Papercut Search vendor "Papercut"		Papercut Mf Search vendor "Papercut" for product "Papercut Mf"				< 22.1.1 Search vendor "Papercut" for product "Papercut Mf" and version " < 22.1.1"		-		Affected
Papercut Search vendor "Papercut"		Papercut Ng Search vendor "Papercut" for product "Papercut Ng"				< 22.1.1 Search vendor "Papercut" for product "Papercut Ng" and version " < 22.1.1"		-		Affected