CVE-2020-4067 — Improper Initialization in Project Coturn

CWE-665 — Improper Initialization7 documents6 sources

Severity

7.5HIGHNVD

CNA7.0

EPSS

1.1%

top 21.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Coturn Project Coturn Coturn Canonical Ubuntu Linux +3 more

Timeline

PublishedJun 29

Latest updateJul 6

Description

In coturn before version 4.5.1.3, there is an issue whereby STUN/TURN response buffer is not initialized properly. There is a leak of information between different client connections. One client (an attacker) could use their connection to intelligently query coturn to get interesting bytes in the padding bytes from the connection of another client. This has been fixed in 4.5.1.3.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶NVDcoturn_project/coturn< 4.5.1.3

▶Debiancoturn_project/coturn< 4.5.1.3-1+3

▶Ubuntucoturn_project/coturn< 4.5.0.3-1ubuntu0.3+2

▶CVEListV5coturn/coturn>= 5.1.1, < 6.0.0

▶NVDopensuse/leap15.2

Also affects: Debian Linux 10.0, 8.0, 9.0, Fedora 31, 32, Ubuntu Linux 16.04, 18.04, 19.10, 20.04

🔴Vulnerability Details

OSV

coturn vulnerabilities↗2020-07-06

▶

OSV

CVE-2020-4067: In coturn before version 4↗2020-06-29

▶

CVEList

Improper Initialization in coturn↗2020-06-29

▶

📋Vendor Advisories

Ubuntu

coTURN vulnerabilities↗2020-07-06

▶

Debian

CVE-2020-4067: coturn - In coturn before version 4.5.1.3, there is an issue whereby STUN/TURN response b...↗2020

▶

💬Community

Bugzilla

CVE-2020-4067 coturn: STUN response buffer not initialized properly↗2020-06-30

▶