CVE-2020-26262 log

Severity High
Remote Yes
Type Insufficient validation
A security issue was found in coturn before version 4.5.2. By default coturn does not allow peers to connect and relay packets to loopback addresses in the range of 127.x.x.x. However, it was observed that when sending a CONNECT request with the XOR-PEER-ADDRESS value of, a successful response was received and subsequently, CONNECTIONBIND also received a successful response. Coturn then is able to relay packets to the loopback interface. Additionally, when coturn is listening on IPv6, which is default, the loopback interface can also be reached by making use of either [::1] or [::] as the peer address.
Group Package Affected Fixed Severity Status Ticket
AVG-1430 coturn 4.5.2-1 High Fixed
Date Advisory Group Package Severity Type
12 Jan 2021 ASA-202101-21 AVG-1430 coturn High insufficient validation

The issue can be mitigated by disabling the address block, [::1] and [::] using the denied-peer-ip setting.