CVE-2018-4058

NameCVE-2018-4058
DescriptionAn exploitable unsafe default configuration vulnerability exists in the TURN server functionality of coTURN prior to 4.5.0.9. By default, the TURN server allows relaying external traffic to the loopback interface of its own host. This can provide access to other private services running on that host, which can lead to further attacks. An attacker can set up a relay with a loopback address as the peer on an affected TURN server to trigger this vulnerability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1671-1, DSA-4373-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
coturn (PTS)buster, buster (security)4.5.1.1-1.1+deb10u2fixed
bullseye4.5.2-3fixed
bookworm, sid4.5.2-3.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
coturnsourcejessie4.2.1.2-1+deb8u1DLA-1671-1
coturnsourcestretch4.5.0.5-1+deb9u1DSA-4373-1
coturnsource(unstable)4.5.1.0-1

Search for package or bug name: Reporting problems