Candidate: CVE-2018-4300
PublicDate: 2019-04-03 18:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4300
 https://ubuntu.com/security/notices/USN-3842-1
Description:
 The session cookie generated by the CUPS web interface was easy to guess on
 Linux, allowing unauthorized scripted access to the web interface when the
 web interface is enabled. This issue affected versions prior to v2.2.10.
Ubuntu-Description:
Notes:
 mdeslaur> Updates for this issue were originally assigned CVE-2018-4700,
 mdeslaur> which was a typo and got rejected.
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915909
Priority: medium
Discovered-by: Jann Horn
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N [5.9 MEDIUM]


Patches_cups:
 upstream: https://github.com/apple/cups/commit/feb4c62b211bfbd78dc10d737d873439ccdfa58c (2.2.10)
 upstream: https://github.com/apple/cups/commit/b9ff93ce913ff633a3f667317e5a81fa7fe0d5d3 (2.3b6)
upstream_cups: released (2.2.10-1)
precise/esm_cups: DNE
trusty_cups: released (1.7.2-0ubuntu1.11)
trusty/esm_cups: DNE
xenial_cups: released (2.1.3-4ubuntu0.6)
esm-infra/xenial_cups: released (2.1.3-4ubuntu0.6)
bionic_cups: released (2.2.7-1ubuntu2.2)
cosmic_cups: released (2.2.8-5ubuntu1.1)
focal_cups: not-affected (2.3.1-9ubuntu1.1)
devel_cups: not-affected