CVE-2024-1222: 
PaperCut NG vulnerability analysis and mitigation

A critical authentication bypass vulnerability (CVE-2024-1222) was discovered in PaperCut NG/MF that allows attackers to gain elevated privileges through maliciously formed API requests. The vulnerability affects multiple versions of PaperCut NG/MF software and was disclosed in March 2024 (NVD, ZDI).

The vulnerability exists within the PrintDeployProxyController class and results from incorrect authorization implementation. It has received a CVSS v3.1 base score of 9.8 (Critical) from NIST with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, while PaperCut assigned it a score of 8.6 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L. The vulnerability requires no authentication to exploit and affects a small subset of PaperCut NG/MF API calls (NVD, ZDI).

If exploited, this vulnerability allows remote attackers to bypass authentication and gain access to API authorization levels with elevated privileges. This could potentially lead to unauthorized access to sensitive system functions and data (ZDI).

PaperCut has released security updates to address this vulnerability. Affected versions include PaperCut NG/MF versions up to 20.1.10, 21.0.0-21.2.14, 22.0.0-22.1.5, and 23.0.1-23.0.7. Users are advised to upgrade to the latest patched version (NVD).