T1Xster-Secreporter

**Name of the Vulnerable Software and Affected Versions** Coturn versions prior to 4.9.0 **Description** Coturn, a free open source implementation of TURN and STUN Server, is susceptible to a bypass of loopback and internal range restrictions. Specifically, configurations using "denied-peer-ip" to block loopback and internal ranges can be circumvented by sending a "CreatePermission" or "ChannelBind" request with the "XOR-PEER-ADDRESS" value set to "::ffff:127.0.0.1". This is due to insufficient checks for IPv4-mapped IPv6 addresses in the functions `ioa addr is loopback()`, `ioa addr is zero()`, and `addr less eq()` within "src/client/ns turn ioaddr.c" prior to version 4.9.0. The root cause is that these functions do not check for `IN6 IS ADDR V4MAPPED`. **Recommendations** Versions prior to 4.9.0 should be updated to version 4.9.0 or later.