Vulnerability Description
An exploitable SQL injection vulnerability exists in the administrator web portal function of coTURN prior to version 4.5.0.9. A login message with a specially crafted username can cause an SQL injection, resulting in authentication bypass, which could give access to the TURN server administrator web portal. An attacker can log in via the external interface of the TURN server to trigger this vulnerability.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Coturn Project | Coturn | < 4.5.0.9 |
| Debian | Debian Linux | 8.0 |
Related Weaknesses (CWE)
References
- https://lists.debian.org/debian-lts-announce/2019/02/msg00017.htmlMailing ListThird Party Advisory
- https://talosintelligence.com/vulnerability_reports/TALOS-2018-0730ExploitThird Party Advisory
- https://www.debian.org/security/2019/dsa-4373Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2019/02/msg00017.htmlMailing ListThird Party Advisory
- https://talosintelligence.com/vulnerability_reports/TALOS-2018-0730ExploitThird Party Advisory
- https://www.debian.org/security/2019/dsa-4373Third Party Advisory
FAQ
What is CVE-2018-4056?
CVE-2018-4056 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An exploitable SQL injection vulnerability exists in the administrator web portal function of coTURN prior to version 4.5.0.9. A login message with a specially crafted username can cause an SQL inject...
How severe is CVE-2018-4056?
CVE-2018-4056 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2018-4056?
Check the references section above for vendor advisories and patch information. Affected products include: Coturn Project Coturn, Debian Debian Linux.