CVE-2023-39143
Published: 04 August 2023
Summary
CVE-2023-39143 is a critical-severity Path Traversal (CWE-22) vulnerability in Papercut Papercut Mf. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-39143 is a path traversal vulnerability affecting PaperCut NG and PaperCut MF versions prior to 22.1.3 running on Windows. The flaw, tracked under CWE-22, permits unauthorized upload, read, or deletion of arbitrary files on the server and can result in remote code execution when the commonly enabled external device integration feature is active. It carries a CVSS 3.1 base score of 9.8.
Unauthenticated attackers with network access can exploit the issue to achieve full compromise of the affected PaperCut installation, including arbitrary file operations that lead to code execution. No user interaction or credentials are required, and the attack surface is exposed by default in typical deployments.
Vendor guidance from PaperCut directs administrators to upgrade immediately to version 22.1.3 or later. Horizon3 research publications provide additional technical details on the flaw and recommended defensive steps.
The vulnerability maintains a high EPSS score with a recorded peak of 0.9209 and current value of 0.8818, indicating sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-42884
Vulnerability details
PaperCut NG and PaperCut MF before 22.1.3 on Windows allow path traversal, enabling attackers to upload, read, or delete arbitrary files. This leads to remote code execution when external device integration is enabled (a very common configuration).
- CWE(s)
Related Threats
Threat-Actor AttributionAI
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.