{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2020-26262","title":"Title"},{"category":"description","text":"Coturn is free open source implementation of TURN and STUN Server. Coturn before version 4.5.2 by default does not allow peers to connect and relay packets to loopback addresses in the range of `127.x.x.x`. However, it was observed that when sending a `CONNECT` request with the `XOR-PEER-ADDRESS` value of `0.0.0.0`, a successful response was received and subsequently, `CONNECTIONBIND` also received a successful response. Coturn then is able to relay packets to the loopback interface. Additionally, when coturn is listening on IPv6, which is default, the loopback interface can also be reached by making use of either `[::1]` or `[::]` as the peer address. By using the address `0.0.0.0` as the peer address, a malicious user will be able to relay packets to the loopback interface, unless `--denied-peer-ip=0.0.0.0` (or similar) has been specified. Since the default configuration implies that loopback peers are not allowed, coturn administrators may choose to not set the `denied-peer-ip` setting. The issue patched in version 4.5.2. As a workaround the addresses in the address block `0.0.0.0/8`, `[::1]` and `[::]` should be denied by default unless `--allow-loopback-peers` has been specified.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2020-26262","url":"https://www.suse.com/security/cve/CVE-2020-26262"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1180764 for CVE-2020-26262","url":"https://bugzilla.suse.com/1180764"}],"title":"SUSE CVE CVE-2020-26262","tracking":{"current_release_date":"2026-03-13T15:07:19Z","generator":{"date":"2023-02-15T03:53:13Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2020-26262","initial_release_date":"2023-02-15T03:53:13Z","revision_history":[{"date":"2023-02-15T03:53:13Z","number":"2","summary":"Current version"},{"date":"2025-01-01T05:14:29Z","number":"3","summary":"Current version"},{"date":"2025-02-15T05:53:12Z","number":"4","summary":"Current version"},{"date":"2025-02-17T06:14:40Z","number":"5","summary":"Current version"},{"date":"2025-03-15T09:38:30Z","number":"6","summary":"Current version"},{"date":"2026-03-13T15:07:19Z","number":"7","summary":"severity changed from moderate to important"}],"status":"interim","version":"7"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"openSUSE Tumbleweed","product":{"name":"openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed","product_identification_helper":{"cpe":"cpe:/o:opensuse:tumbleweed"}}},{"category":"product_version","name":"coturn-4.5.2-2.2","product":{"name":"coturn-4.5.2-2.2","product_id":"coturn-4.5.2-2.2","product_identification_helper":{"cpe":"cpe:2.3:a:coturn_project:coturn:4.5.2:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/coturn@4.5.2-2.2"}}},{"category":"product_version","name":"coturn-devel-4.5.2-2.2","product":{"name":"coturn-devel-4.5.2-2.2","product_id":"coturn-devel-4.5.2-2.2","product_identification_helper":{"purl":"pkg:rpm/suse/coturn-devel@4.5.2-2.2"}}},{"category":"product_version","name":"coturn-utils-4.5.2-2.2","product":{"name":"coturn-utils-4.5.2-2.2","product_id":"coturn-utils-4.5.2-2.2","product_identification_helper":{"purl":"pkg:rpm/suse/coturn-utils@4.5.2-2.2"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"coturn-4.5.2-2.2 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:coturn-4.5.2-2.2"},"product_reference":"coturn-4.5.2-2.2","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"coturn-devel-4.5.2-2.2 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:coturn-devel-4.5.2-2.2"},"product_reference":"coturn-devel-4.5.2-2.2","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"coturn-utils-4.5.2-2.2 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:coturn-utils-4.5.2-2.2"},"product_reference":"coturn-utils-4.5.2-2.2","relates_to_product_reference":"openSUSE Tumbleweed"}]},"vulnerabilities":[{"cve":"CVE-2020-26262","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2020-26262"}],"notes":[{"category":"general","text":"Coturn is free open source implementation of TURN and STUN Server. Coturn before version 4.5.2 by default does not allow peers to connect and relay packets to loopback addresses in the range of `127.x.x.x`. However, it was observed that when sending a `CONNECT` request with the `XOR-PEER-ADDRESS` value of `0.0.0.0`, a successful response was received and subsequently, `CONNECTIONBIND` also received a successful response. Coturn then is able to relay packets to the loopback interface. Additionally, when coturn is listening on IPv6, which is default, the loopback interface can also be reached by making use of either `[::1]` or `[::]` as the peer address. By using the address `0.0.0.0` as the peer address, a malicious user will be able to relay packets to the loopback interface, unless `--denied-peer-ip=0.0.0.0` (or similar) has been specified. Since the default configuration implies that loopback peers are not allowed, coturn administrators may choose to not set the `denied-peer-ip` setting. The issue patched in version 4.5.2. As a workaround the addresses in the address block `0.0.0.0/8`, `[::1]` and `[::]` should be denied by default unless `--allow-loopback-peers` has been specified.","title":"CVE description"}],"product_status":{"recommended":["openSUSE Tumbleweed:coturn-4.5.2-2.2","openSUSE Tumbleweed:coturn-devel-4.5.2-2.2","openSUSE Tumbleweed:coturn-utils-4.5.2-2.2"]},"references":[{"category":"external","summary":"CVE-2020-26262","url":"https://www.suse.com/security/cve/CVE-2020-26262"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1180764 for CVE-2020-26262","url":"https://bugzilla.suse.com/1180764"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["openSUSE Tumbleweed:coturn-4.5.2-2.2","openSUSE Tumbleweed:coturn-devel-4.5.2-2.2","openSUSE Tumbleweed:coturn-utils-4.5.2-2.2"]}],"scores":[{"cvss_v3":{"baseScore":7.2,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N","version":"3.1"},"products":["openSUSE Tumbleweed:coturn-4.5.2-2.2","openSUSE Tumbleweed:coturn-devel-4.5.2-2.2","openSUSE Tumbleweed:coturn-utils-4.5.2-2.2"]}],"threats":[{"category":"impact","date":"2021-01-12T08:18:07Z","details":"important"}],"title":"CVE-2020-26262"}]}