FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

coturn -- information leakage

Affected packages
coturn < 4.5.1.3

Details

VuXML ID fce7a6e7-bc5d-11ea-b38d-f0def1d0c3ea
Discovery 2020-06-30
Entry 2020-07-02

Felix Dörre reports:

The issue is that STUN/TURN response buffer is not initialized properly. (CWE 665) This is a leak of information between different client connections. One client (an attacker) could use their connection to intelligently query coturn to get interesting bytes in the padding bytes from the connection of another client.

References

CVE Name CVE-2020-4067
URL https://github.com/coturn/coturn/commit/fdf7065d0f8e676feaf6734e86370f6dadfb8eec