CVE-2018-4300

NameCVE-2018-4300
DescriptionThe session cookie generated by the CUPS web interface was easy to guess on Linux, allowing unauthorized scripted access to the web interface when the web interface is enabled. This issue affected versions prior to v2.2.10.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1936-1
Debian Bugs915909

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cups (PTS)buster2.2.10-6+deb10u5fixed
buster (security)2.2.10-6+deb10u6fixed
bullseye (security), bullseye2.3.3op2-3+deb11u2fixed
bookworm, sid2.4.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cupssourcejessie1.7.5-11+deb8u6DLA-1936-1
cupssourcestretch2.2.1-8+deb9u3
cupssource(unstable)2.2.10-1915909

Notes

https://github.com/apple/cups/commit/feb4c62b211bfbd78dc10d737d873439ccdfa58c (2.2.10)
https://github.com/apple/cups/commit/b9ff93ce913ff633a3f667317e5a81fa7fe0d5d3 (2.3b6)
Clarification about typo for CVE id: https://github.com/apple/cups/issues/5561

Search for package or bug name: Reporting problems