DSA-4829-1 coturn -- coturnID: oval:org.secpod.oval:def:69849 | Date: (C)2021-03-07 (M)2023-12-20 |
Class: PATCH | Family: unix |
A flaw was discovered in coturn, a TURN and STUN server for VoIP. By default coturn does not allow peers on the loopback addresses . A remote attacker can bypass the protection via a specially crafted request using a peer address of "0.0.0.0" and trick coturn in relaying to the loopback interface. If listening on IPv6 the loopback interface can also be reached by using either [::1] or [::] as the address.