CVE-2023-4568: 
PaperCut NG vulnerability analysis and mitigation

PaperCut NG contains a vulnerability that allows unauthenticated XMLRPC commands to be executed by default. The vulnerability affects versions 22.0.12 and below, with later versions potentially affected due to the absence of a vendor-supplied patch. This vulnerability was assigned CVE-2023-4568 and was disclosed in September 2023 (Tenable Advisory).

The vulnerability stems from insufficient access controls for XMLRPC operations in PaperCut NG. Access to XMLRPC operations is controlled by various allowed IP lists, but by default, many allowed IP lists (including auth.providers.allowed-addresses) are configured with wildcard settings. This configuration allows unauthenticated remote attackers to issue XMLRPC calls. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (Tenable Advisory).

The vulnerability allows unauthorized access to XMLRPC functionality, potentially enabling attackers to perform operations such as adding printers and retrieving configuration information. This could lead to unauthorized system modifications and information disclosure (Tenable Advisory).

PaperCut's security team has acknowledged the behavior and potential impacts of this issue but does not plan to provide a patch. Users are advised to implement relevant mitigations as recommended by product documentation, particularly focusing on properly configuring IP address restrictions for XMLRPC access (Tenable Advisory).