CVE-2018-4300

NameCVE-2018-4300
DescriptionThe session cookie generated by the CUPS web interface was easy to guess on Linux, allowing unauthorized scripted access to the web interface when the web interface is enabled. This issue affected versions prior to v2.2.10.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1936-1
NVD severitymedium
Debian Bugs915909

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cups (PTS)stretch2.2.1-8+deb9u6fixed
stretch (security)2.2.1-8+deb9u2vulnerable
buster2.2.10-6+deb10u3fixed
bullseye, sid2.3.3-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cupssourcejessie1.7.5-11+deb8u6DLA-1936-1
cupssourcestretch2.2.1-8+deb9u3
cupssource(unstable)2.2.10-1915909

Notes

https://github.com/apple/cups/commit/feb4c62b211bfbd78dc10d737d873439ccdfa58c (2.2.10)
https://github.com/apple/cups/commit/b9ff93ce913ff633a3f667317e5a81fa7fe0d5d3 (2.3b6)
Clarification about typo for CVE id: https://github.com/apple/cups/issues/5561

Search for package or bug name: Reporting problems