Vasion Print Unauthenticated Access to Internal Docker APIs via Authentication Bypass Vulnerability

An authentication bypass vulnerability has been identified in Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 25.2.169 and Application versions prior to 25.2.1518, specifically in VA/SaaS deployments. This vulnerability arises because firewall rules permit unrestricted traffic to the Docker bridge network, exposing all internal Docker containers to the network. The lack of authentication, access control lists, or client-side identifiers allows attackers to interact with any internal API, completely bypassing the product's authentication mechanisms. The consequences include unauthorized remote access to internal services, potential credential theft, manipulation of configurations, and in some cases, remote code execution.

Impact

Exploitation of this vulnerability leads to unauthorized access to internal Docker APIs, allowing for interaction with exposed services. This could result in credential theft, unauthorized changes to configurations, and potentially executing arbitrary code on the server.

Remediation

Users can update to Vasion Print Virtual Appliance Host version 25.2.169 and Application version 25.2.1518. Instructions for updating the Virtual Appliance can be found in the Vasion Print Application Update topic.