CISA adds PaperCut (CVE-2023-27350) flaw to its Known Exploited Vulnerabilities Catalog

CVE-2023-27350

The ever-evolving world of cybersecurity never seems to take a break. As the digital landscape continues to expand, so do the security risks that come with it. In a recent update, the Cybersecurity and Infrastructure Security Agency (CISA) has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog. These vulnerabilities have been identified as active exploitation targets, posing significant risks to the federal enterprise and beyond.

CVE-2023-27350

  1. MinIO Information Disclosure Vulnerability (CVE-2023-28432)

Ranked with a CVSS score of 7.5, the MinIO information disclosure vulnerability could enable remote attackers to gain access to sensitive information. MinIO is a popular Multi-Cloud Object Storage framework. The vulnerability arises from a flaw in the cluster deployment implementation, potentially exposing the MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD environment variables to unauthorized parties.

An attacker, armed with a specially crafted request, could exploit this vulnerability to extract these sensitive variables and launch further attacks against the affected system. It’s essential for organizations using MinIO to assess their deployment and take necessary precautions to mitigate this risk.

  1. PaperCut MF/NG Improper Access Control Vulnerability (CVE-2023-27350)

With a staggering CVSS score of 9.8, the PaperCut MF/NG improper access control vulnerability is a critical security issue. This vulnerability affects installations of PaperCut NG 22.0.5 (Build 63914) and allows remote attackers to bypass authentication. Surprisingly, authentication is not even required to exploit this vulnerability.

The CVE-2023-27350 flaw resides within the SetupCompleted class and results from inadequate access control. Attackers can leverage this vulnerability to bypass authentication, execute arbitrary code in the context of SYSTEM, and potentially gain complete control of the affected system. Organizations using PaperCut NG must act swiftly to patch this vulnerability and prevent unauthorized access.

  1. Google Chrome Skia Integer Overflow Vulnerability (CVE-2023-2136)

Google Chrome users, beware! An integer overflow vulnerability in the Skia component could enable remote attackers to execute arbitrary code on your system. If a victim is persuaded to visit a specially crafted website, an attacker can exploit this vulnerability to run arbitrary code on the system or cause the application to crash.

Given the widespread use of Google Chrome, this vulnerability has far-reaching implications. Users should ensure they keep their browser up-to-date and apply any security patches released by Google to protect themselves from potential attacks.