https://www.papercut.com/kb/Main/Security-Bulletin-March-2024 <br/></td> CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"/>https://www.papercut.com/kb/Main/Security-Bulletin-March-2024 <br/></td> CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"/>
Improper Input Validation (CWE-20)
This vulnerability allows remote attackers to disclose sensitive information on affected installations of PaperCut NG. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the upload endpoint. By uploading a symbolic link, an attacker can abuse the service to read arbitrary files. An attacker can leverage this vulnerability to disclose information in the context of root.
This vulnerability has a high impact on confidentiality. Attackers can potentially access and read sensitive information stored on the affected system, including data that should only be accessible to users with root privileges. This could lead to exposure of critical system information, user data, or other confidential content. The vulnerability has a CVSS base score of 6.5, which is considered medium severity. However, the confidentiality impact is rated as HIGH, indicating significant potential for data exposure.
One proof-of-concept exploit is available on zerodayinitiative.com. There is no evidence of proof of exploitation at the moment.
PaperCut has issued an update to correct this vulnerability. More details can be found at: https://www.papercut.com/kb/Main/Security-Bulletin-March-2024
1. Apply the patch provided by PaperCut as soon as possible. 2. Monitor and audit file upload activities, especially those targeting the upload endpoint. 3. Implement strong authentication mechanisms and regularly review and update access controls. 4. Consider implementing additional security measures such as input validation and sanitization for file uploads. 5. Regularly monitor system logs for any suspicious activities related to file access or information disclosure. 6. If immediate patching is not possible, consider temporarily disabling or restricting access to the upload functionality until the patch can be applied.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
NVD published the first details for CVE-2024-1221
Feedly found the first article mentioning CVE-2024-1221. See article
EPSS Score was set to: 0.04% (Percentile: 7.2%)
Detection for the vulnerability has been added to Qualys (379515)
Feedly estimated the CVSS score as MEDIUM
A CVSS base score of 3.1 has been assigned.