CVE-2020-4067

Name
CVE-2020-4067
Description
In coturn before version 4.5.1.3, there is an issue whereby STUN/TURN response buffer is not initialized properly. There is a leak of information between different client connections. One client (an attacker) could use their connection to intelligently query coturn to get interesting bytes in the padding bytes from the connection of another client. This has been fixed in 4.5.1.3.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Release Notes https://github.com/coturn/coturn/blob/aab60340b201d55c007bcdc853230f47aa2dfdf1/ChangeLog#L15
Third Party Advisory https://github.com/coturn/coturn/security/advisories/GHSA-c8r8-8vp5-6gcm
Third Party Advisory https://github.com/coturn/coturn/issues/583
Third Party Advisory https://www.debian.org/security/2020/dsa-4711
Mailing List https://lists.debian.org/debian-lts-announce/2020/07/msg00002.html
Third Party Advisory http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00010.html
UBUNTU https://usn.ubuntu.com/4415-1/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TNJJO77ZLGGFJWNUGP6VDG5HPAC5UDBK/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5G35UBNSRLL6SYRTODYTMBJ65TLQILUM/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:coturn_project:coturn:*:*:*:*:*:*:*:* coturn >= None < 4.5.1.3

Vulnerable and fixed packages

Source package Branch Version Maintainer Status