CVE-2018-4059 — Missing Authorization in Project Coturn

CWE-862 — Missing Authorization CWE-798 — Hard-coded Credentials7 documents6 sources

Severity

9.8CRITICALNVD

EPSS

0.6%

top 30.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Coturn Project Coturn Talos Coturn

Timeline

PublishedMar 21

Latest updateMay 13

Description

An exploitable unsafe default configuration vulnerability exists in the TURN server function of coTURN prior to version 4.5.0.9. By default, the TURN server runs an unauthenticated telnet admin portal on the loopback interface. This can provide administrator access to the TURN server configuration, which can lead to additional attacks. An attacker who can get access to the telnet port can gain administrator access to the TURN server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDcoturn_project/coturn< 4.5.0.9

▶Debiancoturn_project/coturn< 4.5.1.0-1+3

▶CVEListV5talos/coturncoTURN 4.5.0.5

🔴Vulnerability Details

GHSA

GHSA-7q4q-c7wp-55p8: An exploitable unsafe default configuration vulnerability exists in the TURN server function of coTURN prior to version 4↗2022-05-13

▶

OSV

CVE-2018-4059: An exploitable unsafe default configuration vulnerability exists in the TURN server function of coTURN prior to version 4↗2019-03-21

▶

CVEList

CVE-2018-4059: An exploitable unsafe default configuration vulnerability exists in the TURN server function of coTURN prior to version 4↗2019-03-21

▶

📋Vendor Advisories

Debian

CVE-2018-4059: coturn - An exploitable unsafe default configuration vulnerability exists in the TURN ser...↗2018

▶

🕵️Threat Intelligence

Talos

Vulnerability Spotlight: Multiple vulnerabilities in coTURN↗2019-01-29

▶

Talos

Vulnerability Spotlight: Multiple vulnerabilities in coTURN↗2019-01-29

▶