CVE-2023-27351
Published: 20 April 2023
Summary
CVE-2023-27351 is a high-severity Improper Authentication (CWE-287) vulnerability in Papercut Papercut Mf. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 1.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
CVE-2023-27351 is an authentication bypass vulnerability affecting PaperCut NG version 22.0.5 (Build 63914). The flaw resides in the SecurityRequestFilter class and stems from improper implementation of the authentication algorithm, enabling remote attackers to circumvent authentication controls entirely. It carries a CVSS 3.1 score of 7.5 and is tracked under CWE-287.
Unauthenticated attackers can exploit the issue over the network to bypass login mechanisms and obtain unauthorized access to the affected system, resulting in high-impact disclosure of sensitive information.
PaperCut knowledge base articles PO-1216 and PO-1219, along with the corresponding Zero Day Initiative advisory ZDI-23-232, outline mitigation steps including available patches, while CISA lists the CVE in its known exploited vulnerabilities catalog.
The associated EPSS score reached a peak of 0.8773 before receding to its current value of 0.6564, and the CISA entry confirms observed exploitation activity in real-world environments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-31127
Vulnerability details
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SecurityRequestFilter class. The issue results from improper implementation of…
more
the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19226.
- CWE(s)
- KEV Date Added
- See CISA KEV catalog
Related Threats
Threat-Actor AttributionAI
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication decisions before granting access, blocking the improper algorithm bypass in SecurityRequestFilter.
Requires reliable identification and authentication of users before system access, directly countering the CWE-287 flaw that allows unauthenticated entry.
Mandates timely remediation of known software flaws such as the reported authentication bypass in PaperCut NG 22.0.5.