CVE-2018-4056
coturn - security update
9.8
CRITICAL
CVSS 3.1
EPSS 0.49%
Description
An exploitable SQL injection vulnerability exists in the administrator web portal function of coTURN prior to version 4.5.0.9. A login message with a specially crafted username can cause an SQL injection, resulting in authentication bypass, which could give access to the TURN server administrator web portal. An attacker can log in via the external interface of the TURN server to trigger this vulnerability.
How to fix CVE-2018-4056
To remediate CVE-2018-4056, upgrade the affected package to a fixed version below.
- —upgrade to 4.5.1.0-1 or later
- —upgrade to 4.2.1.2-1+deb8u1 or later
- —upgrade to 4.5.0.5-1+deb9u1 or later
Is CVE-2018-4056 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 4.5.1.0-1
- from 0, < 4.2.1.2-1+deb8u1
- from 0, < 4.5.0.5-1+deb9u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |