Bug 1649347 (CVE-2018-4700)
| Summary: | CVE-2018-4700 cups: Predictable session cookie breaks CSRF protection | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | arachman, bmcclain, dblechte, dfediuck, eedri, jpopelka, lveyde, mgoldboi, michal.skrivanek, mperina, nlevy, sbonazzo, scorneli, security-response-team, sherold, twaugh, yturgema, zdohnal |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | cups 2.2.10 | Doc Type: | If docs needed, set a value |
| Doc Text: |
[REJECTED CVE] A predictable session cookie vulnerability was identified in the CUPS printing server. Insufficient randomness in session cookie generation made it easy to guess, undermining CSRF protection. This flaw allowed unauthorized scripted access to the CUPS web interface when enabled, posing a risk of unauthorized control or configuration of the printing server.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-03-31 22:33:27 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1651575, 1657750, 1657859 | ||
| Bug Blocks: | 1649349 | ||
|
Description
Pedro Sampaio
2018-11-13 12:46:54 UTC
Created cups tracking bugs for this issue: Affects: fedora-all [bug 1657750] Stefan, would you mind creating the bugzilla for RHEL 8 too? *** Bug 1695929 has been marked as a duplicate of this bug. *** This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1050 https://access.redhat.com/errata/RHSA-2020:1050 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-4700 Few notes on the history of CVE-2018-4700 vs. CVE-2018-4300. The CVE that was originally used for this issue was CVE-2018-4700. That CVE appeared in the upstream commit (see comment 8): https://github.com/apple/cups/commit/b9ff93ce913ff633a3f667317e5a81fa7fe0d5d3 and it was also used in the CHANGES file in the fixed cups version 2.2.10. This CVE was used in Red Hat advisory RHSA-2020:1050 - see comment 14. Some time later, Mitre made a query to upstream if CVE-2018-4700 was the right one to use here, or if CVE-2018-4300 should have been used instead: https://github.com/apple/cups/issues/5561 which led to upstream amending CHANGES file to list CVE-2018-4300 instead: https://github.com/apple/cups/commit/35064a25961c2d874ce6e1e90d947ad59e9a78d6 This change was first included in version 2.2.12. Release announcement on github for version 2.2.10 was retroactively updated to list CVE-2018-4300 as well: https://github.com/apple/cups/releases/tag/v2.2.10 Note that the Release Notes page cups.org currently lists CVE-2018-4700: https://www.cups.org/doc/relnotes.html#020210 Mitre marked CVE-2018-4700 as rejected as duplicate of CVE-2018-4300. Statement: This vulnerability was originally assigned CVE-2018-4700, but after the publication of security errata the identifier was changed to CVE-2018-4300. Both identifiers refer to the same vulnerability. Since some sources use CVE-2018-4700 and others use CVE-2018-4300, Red Hat security advisories for this vulnerability have been amended to include both identifiers. |