CVE-2020-26262

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2020-26262
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-26262.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-26262
Aliases
  • GHSA-6g6j-r9rf-cm7p
Related
Published
2021-01-13T19:15:16Z
Modified
2024-10-12T06:24:25.341990Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Coturn is free open source implementation of TURN and STUN Server. Coturn before version 4.5.2 by default does not allow peers to connect and relay packets to loopback addresses in the range of 127.x.x.x. However, it was observed that when sending a CONNECT request with the XOR-PEER-ADDRESS value of 0.0.0.0, a successful response was received and subsequently, CONNECTIONBIND also received a successful response. Coturn then is able to relay packets to the loopback interface. Additionally, when coturn is listening on IPv6, which is default, the loopback interface can also be reached by making use of either [::1] or [::] as the peer address. By using the address 0.0.0.0 as the peer address, a malicious user will be able to relay packets to the loopback interface, unless --denied-peer-ip=0.0.0.0 (or similar) has been specified. Since the default configuration implies that loopback peers are not allowed, coturn administrators may choose to not set the denied-peer-ip setting. The issue patched in version 4.5.2. As a workaround the addresses in the address block 0.0.0.0/8, [::1] and [::] should be denied by default unless --allow-loopback-peers has been specified.

References

Affected packages

Debian:11 / coturn

Package

Name
coturn
Purl
pkg:deb/debian/coturn?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.5.2-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / coturn

Package

Name
coturn
Purl
pkg:deb/debian/coturn?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.5.2-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / coturn

Package

Name
coturn
Purl
pkg:deb/debian/coturn?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.5.2-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Git / github.com/coturn/coturn

Affected ranges

Type
GIT
Repo
https://github.com/coturn/coturn
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
abfe1fd08d78baa0947d17dac0f7411c3d948e4d

Affected versions

4.*

4.4.5.3
4.4.5.4
4.5.0.1
4.5.0.2
4.5.0.3
4.5.0.4
4.5.0.5
4.5.0.6
4.5.0.7
4.5.0.8
4.5.1.0
4.5.1.1
4.5.1.2
4.5.1.3