CVE-2018-4300

NameCVE-2018-4300
DescriptionThe session cookie generated by the CUPS web interface was easy to guess on Linux, allowing unauthorized scripted access to the web interface when the web interface is enabled. This issue affected versions prior to v2.2.10.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1936-1
NVD severitymedium
Debian Bugs915909

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cups (PTS)jessie1.7.5-11+deb8u2vulnerable
jessie (security)1.7.5-11+deb8u7fixed
stretch2.2.1-8+deb9u5fixed
stretch (security)2.2.1-8+deb9u2vulnerable
buster2.2.10-6+deb10u3fixed
bullseye, sid2.3.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cupssource(unstable)2.2.10-1915909
cupssourcejessie1.7.5-11+deb8u6DLA-1936-1
cupssourcestretch2.2.1-8+deb9u3

Notes

https://github.com/apple/cups/commit/feb4c62b211bfbd78dc10d737d873439ccdfa58c (2.2.10)
https://github.com/apple/cups/commit/b9ff93ce913ff633a3f667317e5a81fa7fe0d5d3 (2.3b6)
Clarification about typo for CVE id: https://github.com/apple/cups/issues/5561

Search for package or bug name: Reporting problems