cbcvebase.
CVE-2018-4058
published 2019-03-21

CVE-2018-4058: An exploitable unsafe default configuration vulnerability exists in the TURN server functionality of coTURN prior to 4.5.0.9. By default, the TURN server…

PriorityP342high7.7CVSS 3.1
AVNACLPRLUINSCCNIHAN
EPSS
0.94%
56.3th percentile
An exploitable unsafe default configuration vulnerability exists in the TURN server functionality of coTURN prior to 4.5.0.9. By default, the TURN server allows relaying external traffic to the loopback interface of its own host. This can provide access to other private services running on that host, which can lead to further attacks. An attacker can set up a relay with a loopback address as the peer on an affected TURN server to trigger this vulnerability.

Affected

7 ranges
VendorProductVersion rangeFixed in
coturn_projectcoturn< 4.5.0.94.5.0.9
coturn_projectcoturn>= 0 < 4.5.1.0-14.5.1.0-1
coturn_projectcoturn>= 0 < 4.5.1.0-14.5.1.0-1
coturn_projectcoturn>= 0 < 4.5.1.0-14.5.1.0-1
coturn_projectcoturn>= 0 < 4.5.1.0-14.5.1.0-1
debiancoturn< coturn 4.5.1.0-1 (bookworm)coturn 4.5.1.0-1 (bookworm)
taloscoturn

CVSS provenance

nvdv3.17.7HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
nvdv3.07.7HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
osv7.7HIGH
vendor_debian7.7HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.