CVE-2018-4300
Published: 3 April 2019
The session cookie generated by the CUPS web interface was easy to guess on Linux, allowing unauthorized scripted access to the web interface when the web interface is enabled. This issue affected versions prior to v2.2.10.
Notes
Author | Note |
---|---|
mdeslaur | Updates for this issue were originally assigned CVE-2018-4700, which was a typo and got rejected. |
Priority
Status
Package | Release | Status |
---|---|---|
cups Launchpad, Ubuntu, Debian |
bionic |
Released
(2.2.7-1ubuntu2.2)
|
cosmic |
Released
(2.2.8-5ubuntu1.1)
|
|
focal |
Not vulnerable
(2.3.1-9ubuntu1.1)
|
|
trusty |
Released
(1.7.2-0ubuntu1.11)
|
|
upstream |
Released
(2.2.10-1)
|
|
xenial |
Released
(2.1.3-4ubuntu0.6)
|
|
Patches: upstream: https://github.com/apple/cups/commit/feb4c62b211bfbd78dc10d737d873439ccdfa58c upstream: https://github.com/apple/cups/commit/b9ff93ce913ff633a3f667317e5a81fa7fe0d5d3 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.9 |
Attack vector | Network |
Attack complexity | High |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |