CVE-2024-3037: 
PaperCut NG vulnerability analysis and mitigation

An arbitrary file deletion vulnerability (CVE-2024-3037) exists in PaperCut NG/MF, specifically affecting Windows servers with Web Print enabled. The vulnerability was discovered and disclosed in May 2024. The affected systems include PaperCut NG and MF versions up to (excluding) 23.0.9 running on Windows servers (NVD).

The specific flaw exists within the pc-web-print service. By creating a symbolic link, an attacker can abuse the service to delete a file. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-552 (Files or Directories Accessible to External Parties) and CWE-59 (Improper Link Resolution Before File Access) (ZDI, NVD).

An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. The vulnerability could pose a significant risk to customers who allow non-administrative users to log in to the local console of the Windows environment hosting the PaperCut NG/MF application server (ZDI, NVD).

PaperCut has issued an update to correct this vulnerability. The fix is available in version 23.0.9 and later of PaperCut NG/MF. Organizations are advised to upgrade to the latest version to protect against this vulnerability (ZDI).

The vulnerability was initially reported to the vendor on March 15, 2024, and a coordinated public release of the advisory was made on July 31, 2024. The vulnerability was later split into two separate CVEs (CVE-2024-3037 and CVE-2024-8404) with updated scoring to reflect the worst-case scenario (ZDI).