CVE-2023-31046

Name of the Vulnerable Software and Affected Versions PaperCut NG versions prior to 22.1.1 PaperCut MF versions prior to 22.1.1

Description A Path Traversal issue exists, potentially allowing an authenticated attacker to achieve read-only access to the server's filesystem under specific conditions. This is because requests beginning with "GET /ui/static/..//.." reach getStaticContent in UIContentResource.class in the static-content-files servlet. The vulnerability is related to incorrect restriction of the directory path name with limited access, which may allow a remote attacker to gain unauthorized access to protected information.

Recommendations For PaperCut NG versions prior to 22.1.1, update to version 22.1.1 or later to resolve the issue. For PaperCut MF versions prior to 22.1.1, update to version 22.1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the static-content-files servlet to minimize the risk of exploitation.