|Description||An exploitable unsafe default configuration vulnerability exists in the TURN server functionality of coTURN prior to 188.8.131.52. By default, the TURN server allows relaying external traffic to the loopback interface of its own host. This can provide access to other private services running on that host, which can lead to further attacks. An attacker can set up a relay with a loopback address as the peer on an affected TURN server to trigger this vulnerability.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)|
Vulnerable and fixed packages
The table below lists information on source packages.
|coturn (PTS)||buster, buster (security)||184.108.40.206-1.1+deb10u2||fixed|
|sid, trixie, bookworm||4.6.1-1||fixed|
The information below is based on the following data on fixed versions.