CVE-2018-4058

{"id": "CVE-2018-4058", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Secondary", "source": "talos-cna@cisco.com", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 3.1}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 3.1}]}, "published": "2019-03-21T16:00:54.077", "references": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2018-0732", "tags": ["Mitigation", "Third Party Advisory"], "source": "talos-cna@cisco.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "An exploitable unsafe default configuration vulnerability exists in the TURN server functionality of coTURN prior to 4.5.0.9. By default, the TURN server allows relaying external traffic to the loopback interface of its own host. This can provide access to other private services running on that host, which can lead to further attacks. An attacker can set up a relay with a loopback address as the peer on an affected TURN server to trigger this vulnerability."}, {"lang": "es", "value": "Existe una vulnerabilidad explotable de configuraci\u00f3n insegura por defecto en la funcionalidad del servidor TURN de coTURN, en versiones anteriores a la 4.5.0.9. Por defecto, el servidor TURN permite la reproducci\u00f3n de tr\u00e1fico externo en la interfaz de bucle invertido de su propio host. Esto puede proporcionar acceso a otros servicios privados que se ejecutan en dicho host, lo que puede conducir a m\u00e1s ataques. Un atacante puede configurar un relay con una direcci\u00f3n de bucle invertido como peer en un servidor TURN afectado para desencadenar esta vulnerabilidad."}], "lastModified": "2022-06-07T17:18:23.497", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:coturn_project:coturn:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2000F9A5-D594-4ED7-8C14-CE3F0409FEE0", "versionEndExcluding": "4.5.0.9"}], "operator": "OR"}]}], "sourceIdentifier": "talos-cna@cisco.com"}