Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2018-4058

An exploitable unsafe default configuration vulnerability exists in the TURN server functionality of coTURN prior to 4.5.0.9. By default, the TURN server allows relaying external traffic to the loopback interface of its own host. This can provide access to other private services running on that host, which can lead to further attacks. An attacker can set up a relay with a loopback address as the peer on an affected TURN server to trigger this vulnerability.

Published

2019-03-21T16:00:54.077

Last Modified

2024-11-21T04:06:39.700

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.7 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.0

Impact Score

2.9

Weaknesses

Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	coturn_project	coturn	< 4.5.0.9	Yes

References

https://talosintelligence.com/vulnerability_reports/TALOS-2018-0732 Mitigation, Third Party Advisory ([email protected])
https://talosintelligence.com/vulnerability_reports/TALOS-2018-0732 Mitigation, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)