CVE-2018-4300

NameCVE-2018-4300
DescriptionThe session cookie generated by the CUPS web interface was easy to guess on Linux, allowing unauthorized scripted access to the web interface when the web interface is enabled. This issue affected versions prior to v2.2.10.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1936-1
NVD severitymedium (attack range: remote)
Debian Bugs915909

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cups (PTS)jessie1.7.5-11+deb8u2vulnerable
jessie (security)1.7.5-11+deb8u6fixed
stretch2.2.1-8+deb9u4fixed
stretch (security)2.2.1-8+deb9u2vulnerable
buster2.2.10-6+deb10u1fixed
bullseye, sid2.3.0-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cupssource(unstable)2.2.10-1medium915909
cupssourcejessie1.7.5-11+deb8u6mediumDLA-1936-1
cupssourcestretch2.2.1-8+deb9u3medium

Notes

https://github.com/apple/cups/commit/feb4c62b211bfbd78dc10d737d873439ccdfa58c (2.2.10)
https://github.com/apple/cups/commit/b9ff93ce913ff633a3f667317e5a81fa7fe0d5d3 (2.3b6)
Clarification about typo for CVE id: https://github.com/apple/cups/issues/5561

Search for package or bug name: Reporting problems