Bug 1649347 (CVE-2018-4700) - CVE-2018-4700 cups: Predictable session cookie breaks CSRF protection
Summary: CVE-2018-4700 cups: Predictable session cookie breaks CSRF protection
Alias: CVE-2018-4700
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1651575 1657750 1657859
Blocks: 1649349
TreeView+ depends on / blocked
Reported: 2018-11-13 12:46 UTC by Pedro Sampaio
Modified: 2021-02-16 22:47 UTC (History)
15 users (show)

Fixed In Version: cups 2.2.10
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-03-31 22:33:27 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1050 0 None None None 2020-03-31 19:16:15 UTC

Description Pedro Sampaio 2018-11-13 12:46:54 UTC
A flaw was found in the CUPS printing server. Insufficient randomness makes session cookies predictable, breaking CSRF protection.

Comment 9 Stefan Cornelius 2018-12-10 11:15:27 UTC
Created cups tracking bugs for this issue:

Affects: fedora-all [bug 1657750]

Comment 10 Zdenek Dohnal 2018-12-10 13:59:40 UTC
Stefan, would you mind creating the bugzilla for RHEL 8 too?

Comment 13 Zdenek Dohnal 2019-06-04 12:52:33 UTC
*** Bug 1695929 has been marked as a duplicate of this bug. ***

Comment 14 errata-xmlrpc 2020-03-31 19:16:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1050 https://access.redhat.com/errata/RHSA-2020:1050

Comment 15 Product Security DevOps Team 2020-03-31 22:33:27 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 16 Tomas Hoger 2020-08-19 20:41:15 UTC
Few notes on the history of CVE-2018-4700 vs. CVE-2018-4300.

The CVE that was originally used for this issue was CVE-2018-4700.  That CVE appeared in the upstream commit (see comment 8):


and it was also used in the CHANGES file in the fixed cups version 2.2.10.  This CVE was used in Red Hat advisory RHSA-2020:1050 - see comment 14.

Some time later, Mitre made a query to upstream if CVE-2018-4700 was the right one to use here, or if CVE-2018-4300 should have been used instead:


which led to upstream amending CHANGES file to list CVE-2018-4300 instead:


This change was first included in version 2.2.12.

Release announcement on github for version 2.2.10 was retroactively updated to list CVE-2018-4300 as well:


Note that the Release Notes page cups.org currently lists CVE-2018-4700:


Mitre marked CVE-2018-4700 as rejected as duplicate of CVE-2018-4300.

Comment 17 Doran Moppert 2020-08-20 01:19:26 UTC

This vulnerability was originally assigned CVE-2018-4700, but after the publication of security errata the identifier was changed to CVE-2018-4300.  Both identifiers refer to the same vulnerability.  Since some sources use CVE-2018-4700 and others use CVE-2018-4300, Red Hat security advisories for this vulnerability have been amended to include both identifiers.

Note You need to log in before you can comment on or make changes to this bug.