PaperCut NG/MF Security Bulletin (December 2024)

Executive Summary

This security bulletin covers the improvements and changes in the newly released versions of PaperCut NG/MF. This release includes a fix for the CVE addressed in this bulletin.

While PaperCut has assessed these issues as posing a low-security risk in practice, we recommend organizations with PaperCut NG/MF servers allowing console or local login access for non-admin users should prioritize this upgrade.

How to upgrade

Perform a standard over-the-top update . This is the simplest way to do it:

1. Log in to the PaperCut NG/MF admin interface and click the About tab.
2. Click the Check for updates button.
3. Download the latest update.
4. Install over-the-top of your existing PaperCut NG/MF install.
5. Done - the version under About > Version info should now show the latest version.

Security issues addressed

Switching to CVSS v4

As a CNA, PaperCut Software issues CVEs for its own products. A new update in the CVE space is the availability of the newer CVSS v4 scoring system. Each iteration of the CVSS Scoring System has aimed to improve on its predecessor, and the new CVSS v4 scoring system seeks to remediate many of the wider criticisms and limitations of CVSS v3. In line with the recommendations of cve.org and the information security community, we’ve decided to adopt CVSS v4 for our scoring and will be scoring future CVEs using CVSS v4.

Acknowledgements

PaperCut would like to thank Andrej Simko of Accenture for his excellent work in finding this CVE.

FAQs

The Check for updates link in the PaperCut NG/MF admin interface allows customers to download the latest version of PaperCut NG or MF. You will find this at PaperCut NG/MF Admin interface > About > Version info > Check for updates.

You can also find your PaperCut partner or reseller information on the Help tab (or About tab in older versions) on the PaperCut Web admin interface.

Alternatively, direct downloads are available on the upgrade page . It’s easy to identify your edition of PaperCut - it’s on the About tab and in the footer of your PaperCut Web admin login.

Applying these fixes follows the standard upgrade process for PaperCut Application Servers and Site Servers, following the Upgrading PaperCut MF & NG (upgrade steps) documentation.

No, this is a standard over the top upgrade.

No, there are no mitigations available for this CVE, other than the recommended upgrade to 24.1.1 or later.

No. This release includes all previous fixes released, and you can upgrade directly to this release from any previous version of PaperCut NG/MF.

Direct downloads for these older supported versions are available on the upgrade page .

We strongly recommend all organizations upgrade to the latest version.

In this case since these vulnerabilities are not rated as critical, the enhancements are only being included in our 24.1.1 (and later) releases, and are not being applied (back-ported) to older supported versions.

See our supported versions policy for more information.

Security notifications

“How do I sign-up for PaperCut’s security mailing list?”

In order to get timely notifications of security news (including security related fixes or vulnerability information) please subscribe to our security notifications list via our Security notifications sign-up form . If you’re a sys admin or if you look after PaperCut product implementations at your organization, this list will help you be amongst the first to hear of any security related news or updates.

Updates